Windows Analysis Report
ceFgl3jkkk.exe

Overview

General Information

Sample name: ceFgl3jkkk.exe
renamed because original name is a hash value
Original sample name: 857270428d9d88c5da6d8b9d33059d4e29347637879a17975631408c5359b623.exe
Analysis ID: 1560168
MD5: 9cf2fcabd10ee683a3652815014b368c
SHA1: f49914f1cf2b7fbba812eb8fd807b19065008b23
SHA256: 857270428d9d88c5da6d8b9d33059d4e29347637879a17975631408c5359b623
Tags: 77-105-161-194exeuser-JAMESWT_MHT
Infos:

Detection

LummaC
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found pyInstaller with non standard icon
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for sample
Sample uses string decryption to hide its real strings
Writes to foreign memory regions
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

AV Detection

barindex
Source: ceFgl3jkkk.exe Avira: detected
Source: https://marshal-zhukov.com/api) Avira URL Cloud: Label: malware
Source: https://marshal-zhukov.com/apis Avira URL Cloud: Label: malware
Source: droppyrelivei.cfd Avira URL Cloud: Label: malware
Source: 00000002.00000003.1532103299.0000000009C8B000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: LummaC {"C2 url": ["drawwyobstacw.sbs", "resinedyw.sbs", "mathcucom.sbs", "vennurviot.sbs", "allocatinow.sbs", "droppyrelivei.cfd", "condifendteu.sbs", "ehticsprocw.sbs", "enlargkiw.sbs"], "Build id": "DtiPjR--NashTraff"}
Source: ceFgl3jkkk.exe ReversingLabs: Detection: 44%
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Source: ceFgl3jkkk.exe Joe Sandbox ML: detected
Source: 00000002.00000003.1532103299.0000000009C8B000.00000004.00000020.00020000.00000000.sdmp String decryptor: drawwyobstacw.sbs
Source: 00000002.00000003.1532103299.0000000009C8B000.00000004.00000020.00020000.00000000.sdmp String decryptor: condifendteu.sbs
Source: 00000002.00000003.1532103299.0000000009C8B000.00000004.00000020.00020000.00000000.sdmp String decryptor: ehticsprocw.sbs
Source: 00000002.00000003.1532103299.0000000009C8B000.00000004.00000020.00020000.00000000.sdmp String decryptor: vennurviot.sbs
Source: 00000002.00000003.1532103299.0000000009C8B000.00000004.00000020.00020000.00000000.sdmp String decryptor: resinedyw.sbs
Source: 00000002.00000003.1532103299.0000000009C8B000.00000004.00000020.00020000.00000000.sdmp String decryptor: enlargkiw.sbs
Source: 00000002.00000003.1532103299.0000000009C8B000.00000004.00000020.00020000.00000000.sdmp String decryptor: allocatinow.sbs
Source: 00000002.00000003.1532103299.0000000009C8B000.00000004.00000020.00020000.00000000.sdmp String decryptor: mathcucom.sbs
Source: 00000002.00000003.1532103299.0000000009C8B000.00000004.00000020.00020000.00000000.sdmp String decryptor: droppyrelivei.cfd
Source: 00000002.00000003.1532103299.0000000009C8B000.00000004.00000020.00020000.00000000.sdmp String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000002.00000003.1532103299.0000000009C8B000.00000004.00000020.00020000.00000000.sdmp String decryptor: TeslaBrowser/5.5
Source: 00000002.00000003.1532103299.0000000009C8B000.00000004.00000020.00020000.00000000.sdmp String decryptor: - Screen Resoluton:
Source: 00000002.00000003.1532103299.0000000009C8B000.00000004.00000020.00020000.00000000.sdmp String decryptor: - Physical Installed Memory:
Source: 00000002.00000003.1532103299.0000000009C8B000.00000004.00000020.00020000.00000000.sdmp String decryptor: Workgroup: -
Source: 00000002.00000003.1532103299.0000000009C8B000.00000004.00000020.00020000.00000000.sdmp String decryptor: DtiPjR--NashTraff
Source: ceFgl3jkkk.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.9:49765 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.9:49776 version: TLS 1.2
Source: ceFgl3jkkk.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: D:\a\1\b\bin\win32\_multiprocessing.pdb source: ceFgl3jkkk.exe, 00000000.00000003.1498027498.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, _multiprocessing.pyd.0.dr
Source: Binary string: D:\a\1\b\bin\win32\_uuid.pdb source: ceFgl3jkkk.exe, 00000000.00000003.1498682200.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, _uuid.pyd.0.dr
Source: Binary string: D:\a\1\b\bin\win32\_decimal.pdb%% source: ceFgl3jkkk.exe, 00000000.00000003.1497263952.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, _decimal.pyd.0.dr
Source: Binary string: D:\a\1\b\bin\win32\_lzma.pdbOO source: ceFgl3jkkk.exe, 00000000.00000003.1497870502.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, _lzma.pyd.0.dr
Source: Binary string: D:\_w\1\b\libssl-1_1.pdb source: libssl-1_1.dll.0.dr
Source: Binary string: D:\a\1\b\bin\win32\_ssl.pdb source: _ssl.pyd.0.dr
Source: Binary string: D:\_w\1\b\libssl-1_1.pdbAA source: libssl-1_1.dll.0.dr
Source: Binary string: D:\a\1\b\bin\win32\_lzma.pdb source: ceFgl3jkkk.exe, 00000000.00000003.1497870502.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, _lzma.pyd.0.dr
Source: Binary string: D:\a\1\b\bin\win32\_queue.pdb source: ceFgl3jkkk.exe, 00000000.00000003.1498233789.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, _queue.pyd.0.dr
Source: Binary string: d:\a01\_work\2\s\\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: VCRUNTIME140.dll.0.dr
Source: Binary string: D:\a\1\b\bin\win32\_overlapped.pdb source: ceFgl3jkkk.exe, 00000000.00000003.1498125097.00000000006CD000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\1\b\bin\win32\pyexpat.pdb source: ceFgl3jkkk.exe, 00000000.00000003.1500128542.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, pyexpat.pyd.0.dr
Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC source: libcrypto-1_1.dll.0.dr
Source: Binary string: D:\a\1\b\bin\win32\_bz2.pdb source: ceFgl3jkkk.exe, 00000000.00000003.1496897214.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, _bz2.pyd.0.dr
Source: Binary string: D:\a\1\b\bin\win32\select.pdb source: ceFgl3jkkk.exe, 00000000.00000003.1502556218.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr
Source: Binary string: D:\a\1\b\bin\win32\_ctypes.pdb source: ceFgl3jkkk.exe, 00000000.00000003.1497059480.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, _ctypes.pyd.0.dr
Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PICOpenSSL 1.1.1l 24 Aug 2021built on: Thu Aug 26 18:55:02 2021 UTCplatform: VC-WIN32OPENSSLDIR: "C:\Program Files (x86)\Common Files\SSL"ENGINESDIR: "C:\Program Files (x86)\OpenSSL\lib\engines-1_1"not available source: libcrypto-1_1.dll.0.dr
Source: Binary string: D:\a\1\b\bin\win32\python39.pdb source: python39.dll.0.dr
Source: Binary string: D:\a\1\b\bin\win32\_asyncio.pdb source: ceFgl3jkkk.exe, 00000000.00000003.1496140740.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, _asyncio.pyd.0.dr
Source: Binary string: D:\a\1\b\bin\win32\_decimal.pdb source: ceFgl3jkkk.exe, 00000000.00000003.1497263952.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, _decimal.pyd.0.dr
Source: Binary string: D:\a\1\b\bin\win32\_hashlib.pdb source: ceFgl3jkkk.exe, 00000000.00000003.1497503094.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, _hashlib.pyd.0.dr
Source: Binary string: D:\a\1\b\bin\win32\unicodedata.pdb source: ceFgl3jkkk.exe, 00000000.00000003.1502779320.00000000006D6000.00000004.00000020.00020000.00000000.sdmp, unicodedata.pyd.0.dr
Source: Binary string: D:\a\1\b\bin\win32\_socket.pdb source: ceFgl3jkkk.exe, 00000000.00000003.1498335139.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, _socket.pyd.0.dr
Source: Binary string: D:\_w\1\b\libcrypto-1_1.pdb source: libcrypto-1_1.dll.0.dr
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Code function: 0_2_00F603E2 FindFirstFileExW,GetLastError,FindNextFileW,GetLastError, 0_2_00F603E2
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Code function: 0_2_00F699B3 FindFirstFileExW, 0_2_00F699B3
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Code function: 2_2_00F699B3 FindFirstFileExW, 2_2_00F699B3
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Code function: 2_2_00F603E2 FindFirstFileExW,GetLastError,FindNextFileW,GetLastError, 2_2_00F603E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], 4E7D7006h 3_2_004410DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 4x nop then movzx esi, byte ptr [esp+eax+02h] 3_2_0041032C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 4x nop then movzx esi, byte ptr [esp+eax-000000BEh] 3_2_0040D330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], 27BAF212h 3_2_0044082D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 4x nop then mov edi, ecx 3_2_0040F882
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 4x nop then mov byte ptr [edi], cl 3_2_0042F04C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 4x nop then mov byte ptr [edx], cl 3_2_0042F04C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 4x nop then mov dword ptr [eax+ebx], 30303030h 3_2_00401000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 4x nop then mov dword ptr [eax+ebx], 20202020h 3_2_00401000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 4x nop then mov word ptr [eax], cx 3_2_004240E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax+299316FDh] 3_2_004440F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 4x nop then add ebp, dword ptr [esp+0Ch] 3_2_0042E080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 4x nop then mov word ptr [edi], dx 3_2_0040C150
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], 731CDBF3h 3_2_0043E100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 4x nop then cmp dword ptr [edi+esi*8], 07E776F1h 3_2_0042D13C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 4x nop then cmp dword ptr [edi+esi*8], 07E776F1h 3_2_0042D13C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 4x nop then movzx edx, byte ptr [esp+ecx-15FF4FD1h] 3_2_004411C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 4x nop then movzx ebx, byte ptr [esp+ecx+08h] 3_2_0040F1A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 4x nop then movzx ebx, byte ptr [esp+edx+40h] 3_2_004292C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 4x nop then mov byte ptr [eax+ebx], 00000030h 3_2_004012D5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 4x nop then cmp dword ptr [edi+esi*8], 07E776F1h 3_2_0042B2AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 4x nop then mov dword ptr [0044FE84h], esi 3_2_00441322
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 4x nop then mov edi, dword ptr [esi+04h] 3_2_0042F339
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 4x nop then mov byte ptr [edi], dl 3_2_0042F339
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 4x nop then mov byte ptr [edi], dl 3_2_0042F339
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 4x nop then mov byte ptr [edi], cl 3_2_0042F339
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 4x nop then movzx esi, byte ptr [esp+eax-352DC610h] 3_2_0042C442
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 4x nop then mov word ptr [eax], cx 3_2_0042C442
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax+72E893D5h] 3_2_0041D44C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 4x nop then cmp dword ptr [edx+ecx*8], C85F7986h 3_2_0043D4D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 4x nop then movzx ebx, byte ptr [edx] 3_2_004374E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 4x nop then cmp dword ptr [edi+esi*8], 07E776F1h 3_2_004124A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 4x nop then mov ebx, eax 3_2_0040A5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 4x nop then mov ebp, eax 3_2_0040A5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 4x nop then mov byte ptr [edi], dl 3_2_0042F5E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 4x nop then mov byte ptr [edi], dl 3_2_0042F5E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 4x nop then mov byte ptr [edi], cl 3_2_0042F5E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 4x nop then mov ebx, dword ptr [edi+04h] 3_2_0042D590
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 4x nop then mov ebx, dword ptr [esp] 3_2_0042C5B6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 4x nop then cmp dword ptr [ebx+edi*8], 03BA5404h 3_2_0043D6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 4x nop then movzx esi, byte ptr [esp+eax+608185C2h] 3_2_004226F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 4x nop then movzx edx, byte ptr [esp+ecx+04h] 3_2_004226F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 4x nop then movzx edx, byte ptr [esp+ecx+72E892F9h] 3_2_0041D68E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], F8FD61B8h 3_2_0041D68E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 4x nop then mov byte ptr [edx], al 3_2_00430698
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 4x nop then mov byte ptr [edx], al 3_2_00430698
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 4x nop then movzx edx, byte ptr [esi+edi-41CF7017h] 3_2_004106BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 4x nop then cmp dword ptr [edi+esi*8], 07E776F1h 3_2_0042B76F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 4x nop then movzx esi, byte ptr [esp+ecx-659232DCh] 3_2_0041F860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 4x nop then mov byte ptr [esi], cl 3_2_0041F860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 4x nop then cmp di, 005Ch 3_2_0041F860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 4x nop then cmp dword ptr [ebx+edi*8], 07E776F1h 3_2_0043D820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 4x nop then mov byte ptr [edi], al 3_2_0040D830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 4x nop then movzx edi, byte ptr [ecx+esi+25h] 3_2_00408890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h 3_2_0042B8A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 4x nop then movzx ebx, byte ptr [eax+edx] 3_2_0043E8B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 4x nop then movzx edi, byte ptr [esp+edx+299316FDh] 3_2_00444930
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 4x nop then mov byte ptr [edi], al 3_2_0042FA6E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h 3_2_00425AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 4x nop then cmp dword ptr [edx+ecx*8], 1CBB9425h 3_2_00441A90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 07E776F1h 3_2_00441A90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 4x nop then jmp eax 3_2_0041EB05
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 4x nop then cmp dword ptr [ebx+esi*8], 62429966h 3_2_0043DB10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 4x nop then mov word ptr [eax], cx 3_2_0040EB29
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], F8FD61B8h 3_2_0041DBCE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h 3_2_0042DBD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 4x nop then add edi, 02h 3_2_0042DBD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h 3_2_0042BCB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 4x nop then mov ecx, edx 3_2_00420C10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 4x nop then mov byte ptr [edx], al 3_2_00430C1E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 4x nop then mov byte ptr [ebx], al 3_2_00430C1E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax+72E892D9h] 3_2_0043EC20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 4x nop then cmp dword ptr [ebp+ebx*8+00h], F3285E74h 3_2_0043EC20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 4x nop then cmp dword ptr [ebx+edi*8], 731CDBF3h 3_2_0043EC20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], C85F7986h 3_2_00429C80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 4x nop then jmp eax 3_2_0042CC8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 4x nop then cmp dword ptr [edi+esi*8], 07E776F1h 3_2_0042CC8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 4x nop then movzx edx, byte ptr [esi+edi] 3_2_00404CB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h 3_2_0042BCB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 4x nop then movzx edx, byte ptr [esi+ebx] 3_2_00405D50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 4x nop then mov esi, eax 3_2_00425D50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], 7B3AFDABh 3_2_0043DD10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax+72E89391h] 3_2_00421D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 4x nop then movzx ebx, byte ptr [esp+ebp+1C76AA82h] 3_2_0040DE20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], F8FD61B8h 3_2_0041DED1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 4x nop then movzx eax, word ptr [esi+ecx] 3_2_0043BEE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 4x nop then movzx edi, byte ptr [esp+esi+10h] 3_2_0042BF7F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h 3_2_00443FC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 4x nop then cmp dword ptr [ebx+esi*8], 64567875h 3_2_0043DFA0

Networking

barindex
Source: Network traffic Suricata IDS: 2056564 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (resinedyw .sbs) : 192.168.2.9:59111 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056556 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (drawwyobstacw .sbs) : 192.168.2.9:61384 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056562 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (vennurviot .sbs) : 192.168.2.9:53627 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056560 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ehticsprocw .sbs) : 192.168.2.9:60602 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057416 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (marshal-zhukov .com in TLS SNI) : 192.168.2.9:49776 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2056570 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mathcucom .sbs) : 192.168.2.9:57919 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056568 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (allocatinow .sbs) : 192.168.2.9:64895 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056566 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (enlargkiw .sbs) : 192.168.2.9:61039 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057415 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (marshal-zhukov .com) : 192.168.2.9:63122 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057416 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (marshal-zhukov .com in TLS SNI) : 192.168.2.9:49780 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2056558 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (condifendteu .sbs) : 192.168.2.9:49306 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.9:49776 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.9:49776 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.9:49765 -> 104.102.49.254:443
Source: Malware configuration extractor URLs: drawwyobstacw.sbs
Source: Malware configuration extractor URLs: resinedyw.sbs
Source: Malware configuration extractor URLs: mathcucom.sbs
Source: Malware configuration extractor URLs: vennurviot.sbs
Source: Malware configuration extractor URLs: allocatinow.sbs
Source: Malware configuration extractor URLs: droppyrelivei.cfd
Source: Malware configuration extractor URLs: condifendteu.sbs
Source: Malware configuration extractor URLs: ehticsprocw.sbs
Source: Malware configuration extractor URLs: enlargkiw.sbs
Source: Joe Sandbox View IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View IP Address: 104.102.49.254 104.102.49.254
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49776 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49780 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49765 -> 104.102.49.254:443
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: marshal-zhukov.com
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic DNS traffic detected: DNS query: droppyrelivei.cfd
Source: global traffic DNS traffic detected: DNS query: mathcucom.sbs
Source: global traffic DNS traffic detected: DNS query: allocatinow.sbs
Source: global traffic DNS traffic detected: DNS query: enlargkiw.sbs
Source: global traffic DNS traffic detected: DNS query: resinedyw.sbs
Source: global traffic DNS traffic detected: DNS query: vennurviot.sbs
Source: global traffic DNS traffic detected: DNS query: ehticsprocw.sbs
Source: global traffic DNS traffic detected: DNS query: condifendteu.sbs
Source: global traffic DNS traffic detected: DNS query: drawwyobstacw.sbs
Source: global traffic DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic DNS traffic detected: DNS query: marshal-zhukov.com
Source: unknown HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: marshal-zhukov.com
Source: ceFgl3jkkk.exe, 00000000.00000003.1498682200.00000000006DA000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498477157.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498335139.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1497263952.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1499006621.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1500128542.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1497870502.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1499874700.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1500855304.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1502556218.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1502779320.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498125097.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1499006621.00000000006D9000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1499609486.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1502556218.00000000006DA000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498233789.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498027498.00000000006DA000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1496897214.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498682200.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1502779320.00000000006D6000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1497059480.00000000006CD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: ceFgl3jkkk.exe, 00000000.00000003.1498335139.00000000006CD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2Assured
Source: ceFgl3jkkk.exe, 00000000.00000003.1498125097.00000000006CD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredI
Source: ceFgl3jkkk.exe, 00000000.00000003.1498682200.00000000006DA000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498477157.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498335139.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1497263952.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1500128542.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1497870502.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1499874700.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1500855304.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1502556218.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1502779320.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498125097.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1499006621.00000000006D9000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1499609486.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498233789.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498682200.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1502779320.00000000006D6000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1497059480.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498027498.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1496140740.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1497503094.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: ceFgl3jkkk.exe, 00000000.00000003.1498477157.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498335139.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1497263952.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1499006621.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1500128542.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1497870502.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1499874700.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1500855304.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1502556218.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1502779320.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498125097.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1499006621.00000000006D9000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498233789.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498027498.00000000006DA000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1496897214.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498682200.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1502779320.00000000006D6000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1497059480.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498027498.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1496140740.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1497503094.00000000006CD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: ceFgl3jkkk.exe, 00000000.00000003.1499609486.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, libffi-7.dll.0.dr String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: ceFgl3jkkk.exe, 00000000.00000003.1498335139.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498125097.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1497059480.00000000006CD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digi
Source: ceFgl3jkkk.exe, 00000000.00000003.1498682200.00000000006DA000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498477157.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498335139.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1497263952.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1499006621.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1500128542.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1497870502.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1499874700.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1500855304.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1502556218.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498125097.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1499006621.00000000006D9000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1499609486.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1502556218.00000000006DA000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498233789.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1496897214.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498682200.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1502779320.00000000006D6000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1497059480.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498027498.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498233789.00000000006DA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: ceFgl3jkkk.exe, 00000000.00000003.1498477157.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498335139.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1497263952.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1499006621.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1500128542.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1497870502.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1499874700.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1500855304.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1502556218.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1502779320.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498125097.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1499006621.00000000006D9000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498233789.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498027498.00000000006DA000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1496897214.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498682200.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1502779320.00000000006D6000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1497059480.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498027498.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498233789.00000000006DA000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1496140740.00000000006CD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: ceFgl3jkkk.exe, 00000000.00000003.1498682200.00000000006DA000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498477157.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498335139.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1497263952.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1500128542.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1497870502.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1499874700.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1500855304.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1502556218.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1502779320.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498125097.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1499006621.00000000006D9000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1499609486.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1502556218.00000000006DA000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498233789.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1496897214.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498682200.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1502779320.00000000006D6000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1497059480.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498027498.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1496140740.00000000006CD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: ceFgl3jkkk.exe, 00000000.00000003.1498477157.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498335139.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1497263952.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1499006621.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1500128542.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1497870502.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1499874700.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1500855304.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1502556218.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1502779320.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498125097.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1499006621.00000000006D9000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498233789.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498027498.00000000006DA000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1496897214.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498682200.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1502779320.00000000006D6000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1497059480.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498027498.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1496140740.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1497503094.00000000006CD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: ceFgl3jkkk.exe, 00000000.00000003.1502556218.00000000006DA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl4.digice
Source: ceFgl3jkkk.exe, 00000000.00000003.1498682200.00000000006DA000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498477157.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498335139.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1497263952.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1499006621.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1500128542.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1497870502.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1499874700.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1500855304.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1502556218.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1502779320.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498125097.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1499006621.00000000006D9000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1499609486.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1502556218.00000000006DA000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498233789.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498027498.00000000006DA000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1496897214.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498682200.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1502779320.00000000006D6000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1497059480.00000000006CD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: ceFgl3jkkk.exe, 00000000.00000003.1498682200.00000000006DA000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498477157.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498335139.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1497263952.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1500128542.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1497870502.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1499874700.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1500855304.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1502556218.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1502779320.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498125097.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1499006621.00000000006D9000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1499609486.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498233789.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1496897214.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498682200.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1502779320.00000000006D6000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1497059480.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498027498.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1496140740.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1497503094.00000000006CD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: ceFgl3jkkk.exe, 00000000.00000003.1498477157.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498335139.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1497263952.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1499006621.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1500128542.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1497870502.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1499874700.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1500855304.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1502556218.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1502779320.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498125097.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1499006621.00000000006D9000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498233789.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498027498.00000000006DA000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1496897214.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498682200.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1502779320.00000000006D6000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1497059480.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498027498.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1496140740.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1497503094.00000000006CD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: ceFgl3jkkk.exe, 00000000.00000003.1498682200.00000000006DA000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498477157.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498335139.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1497263952.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1499006621.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1500128542.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1497870502.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1499874700.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1500855304.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1502556218.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1502779320.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498125097.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1499006621.00000000006D9000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1499609486.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1502556218.00000000006DA000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498233789.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498027498.00000000006DA000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1496897214.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498682200.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1502779320.00000000006D6000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1497059480.00000000006CD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0C
Source: ceFgl3jkkk.exe, 00000000.00000003.1498682200.00000000006DA000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498477157.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498335139.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1497263952.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1500128542.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1497870502.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1499874700.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1500855304.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1502556218.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1502779320.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498125097.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1499006621.00000000006D9000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1499609486.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498233789.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1496897214.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498682200.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1502779320.00000000006D6000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1497059480.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498027498.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1496140740.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1497503094.00000000006CD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0N
Source: ceFgl3jkkk.exe, 00000000.00000003.1498477157.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498335139.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1497263952.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1499006621.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1500128542.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1497870502.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1499874700.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1500855304.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1502556218.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1502779320.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498125097.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1499006621.00000000006D9000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498233789.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498027498.00000000006DA000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1496897214.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498682200.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1502779320.00000000006D6000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1497059480.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498027498.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1496140740.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1497503094.00000000006CD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0O
Source: ceFgl3jkkk.exe, 00000000.00000003.1499609486.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, libffi-7.dll.0.dr String found in binary or memory: http://ocsp.thawte.com0
Source: ngentask.exe, 00000003.00000002.1613429184.00000000013A8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: ngentask.exe, 00000003.00000002.1613155400.0000000001312000.00000004.00000020.00020000.00000000.sdmp, ngentask.exe, 00000003.00000002.1613429184.00000000013A8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: ngentask.exe, 00000003.00000002.1613429184.00000000013A8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: ceFgl3jkkk.exe, 00000000.00000003.1499609486.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, libffi-7.dll.0.dr String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: ceFgl3jkkk.exe, 00000000.00000003.1499609486.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, libffi-7.dll.0.dr String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: ceFgl3jkkk.exe, 00000000.00000003.1499609486.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, libffi-7.dll.0.dr String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: ceFgl3jkkk.exe, 00000000.00000003.1498477157.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498335139.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1497263952.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1499006621.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1500128542.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1497870502.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1499874700.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1500855304.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1502556218.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1502779320.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498125097.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1499006621.00000000006D9000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498233789.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498027498.00000000006DA000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1496897214.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498682200.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1502779320.00000000006D6000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1497059480.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498027498.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1496140740.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1497503094.00000000006CD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.digicert.com/CPS0
Source: ceFgl3jkkk.exe, 00000002.00000002.1548717939.0000000003430000.00000004.00001000.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000003.1523747536.0000000003311000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000003.1523600484.00000000032E3000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000003.1523686303.00000000032F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://auscitte.github.io/systems%20blog/Exception-Directory-pefile#implementation-details
Source: ngentask.exe, 00000003.00000002.1613155400.0000000001312000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstati
Source: ngentask.exe, 00000003.00000002.1613155400.0000000001312000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.co
Source: ngentask.exe, 00000003.00000002.1613155400.0000000001312000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/im
Source: ngentask.exe, 00000003.00000002.1613155400.0000000001312000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=id
Source: ngentask.exe, 00000003.00000002.1613155400.0000000001312000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?
Source: ceFgl3jkkk.exe, 00000002.00000003.1505557465.0000000000D84000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000003.1505286993.0000000000D83000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000003.1505789755.0000000000D4C000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000003.1546530228.0000000000D4C000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000003.1505890825.0000000000D4D000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000002.1547030217.0000000000D4D000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000003.1505501911.0000000000D86000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000003.1546492928.0000000000D33000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
Source: ceFgl3jkkk.exe, 00000002.00000003.1505286993.0000000000D83000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000002.1547815675.0000000002B20000.00000004.00001000.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000003.1505501911.0000000000D86000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
Source: ceFgl3jkkk.exe, 00000002.00000003.1546492928.0000000000D33000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
Source: ceFgl3jkkk.exe, 00000002.00000003.1505557465.0000000000D84000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000003.1505286993.0000000000D83000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000003.1505789755.0000000000D4C000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000003.1546530228.0000000000D4C000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000003.1505890825.0000000000D4D000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000002.1547030217.0000000000D4D000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000003.1505501911.0000000000D86000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000003.1546492928.0000000000D33000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
Source: ceFgl3jkkk.exe, 00000002.00000003.1505557465.0000000000D84000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000003.1505286993.0000000000D83000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000003.1505789755.0000000000D4C000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000003.1546530228.0000000000D4C000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000003.1505890825.0000000000D4D000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000002.1547030217.0000000000D4D000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000003.1505501911.0000000000D86000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000003.1546492928.0000000000D33000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
Source: ngentask.exe, 00000003.00000002.1613155400.0000000001312000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://marshal-zhukov.com/
Source: ngentask.exe, 00000003.00000002.1613322725.0000000001342000.00000004.00000020.00020000.00000000.sdmp, ngentask.exe, 00000003.00000002.1613322725.0000000001347000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://marshal-zhukov.com/api
Source: ngentask.exe, 00000003.00000002.1613322725.0000000001342000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://marshal-zhukov.com/api)
Source: ngentask.exe, 00000003.00000002.1613322725.0000000001347000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://marshal-zhukov.com/apis
Source: python39.dll.0.dr String found in binary or memory: https://python.org/dev/peps/pep-0263/
Source: ngentask.exe, 00000003.00000002.1613429184.00000000013A8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/legal/
Source: ceFgl3jkkk.exe, 00000000.00000003.1498682200.00000000006DA000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498477157.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498335139.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1497263952.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1499006621.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1500128542.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1497870502.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1499874700.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1500855304.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1502556218.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1502779320.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498125097.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1499006621.00000000006D9000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1499609486.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1502556218.00000000006DA000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498233789.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498027498.00000000006DA000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1496897214.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498682200.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1502779320.00000000006D6000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1497059480.00000000006CD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.digicert.com/CPS0
Source: ceFgl3jkkk.exe, 00000002.00000002.1548717939.0000000003430000.00000004.00001000.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000003.1523747536.0000000003311000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000003.1523600484.00000000032E3000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000003.1523600484.00000000032B1000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000003.1523686303.00000000032F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mandiant.com/resources/blog/tracking-malware-import-hashing
Source: ceFgl3jkkk.exe, 00000002.00000003.1523747536.0000000003311000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000003.1523600484.00000000032E3000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000002.1548099724.00000000031F0000.00000004.00001000.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000003.1523686303.00000000032F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.ntcore.com/files/richsign.htm
Source: ceFgl3jkkk.exe, 00000000.00000003.1499874700.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, libssl-1_1.dll.0.dr, libcrypto-1_1.dll.0.dr String found in binary or memory: https://www.openssl.org/H
Source: ceFgl3jkkk.exe, 00000000.00000003.1503202450.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000002.1548042408.00000000031B0000.00000004.00001000.00020000.00000000.sdmp, base_library.zip.0.dr String found in binary or memory: https://www.python.org/dev/peps/pep-0205/
Source: ceFgl3jkkk.exe, 00000002.00000003.1506886633.0000000000D88000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000003.1506725417.0000000000D88000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000002.1547469415.0000000000F00000.00000004.00001000.00020000.00000000.sdmp, base_library.zip.0.dr String found in binary or memory: https://www.python.org/download/releases/2.3/mro/.
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.9:49765 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.9:49776 version: TLS 1.2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 3_2_004348D0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 3_2_004348D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 3_2_004348D0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 3_2_004348D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 3_2_00435785 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt, 3_2_00435785
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Code function: 0_2_00F5D1B3 0_2_00F5D1B3
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Code function: 0_2_00F592A0 0_2_00F592A0
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Code function: 0_2_00F58A40 0_2_00F58A40
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Code function: 0_2_00F5D3E5 0_2_00F5D3E5
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Code function: 0_2_00F6BBE8 0_2_00F6BBE8
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Code function: 0_2_00F56C00 0_2_00F56C00
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Code function: 0_2_00F6FD6C 0_2_00F6FD6C
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Code function: 0_2_00F576B4 0_2_00F576B4
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Code function: 0_2_00F7169D 0_2_00F7169D
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Code function: 0_2_00F6FE8C 0_2_00F6FE8C
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Code function: 0_2_00F6B750 0_2_00F6B750
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Code function: 2_2_00F5D1B3 2_2_00F5D1B3
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Code function: 2_2_00F592A0 2_2_00F592A0
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Code function: 2_2_00F58A40 2_2_00F58A40
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Code function: 2_2_00F5D3E5 2_2_00F5D3E5
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Code function: 2_2_00F6BBE8 2_2_00F6BBE8
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Code function: 2_2_00F56C00 2_2_00F56C00
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Code function: 2_2_00F6FD6C 2_2_00F6FD6C
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Code function: 2_2_00F576B4 2_2_00F576B4
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Code function: 2_2_00F7169D 2_2_00F7169D
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Code function: 2_2_00F6FE8C 2_2_00F6FE8C
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Code function: 2_2_00F6B750 2_2_00F6B750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 3_2_00411210 3_2_00411210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 3_2_0040D330 3_2_0040D330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 3_2_0040F882 3_2_0040F882
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 3_2_00439E03 3_2_00439E03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 3_2_0042F04C 3_2_0042F04C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 3_2_00401000 3_2_00401000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 3_2_004240E0 3_2_004240E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 3_2_00439090 3_2_00439090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 3_2_0042A14F 3_2_0042A14F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 3_2_0040C150 3_2_0040C150
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 3_2_0043E100 3_2_0043E100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 3_2_0040F1A0 3_2_0040F1A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 3_2_0040B1B0 3_2_0040B1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 3_2_00409270 3_2_00409270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 3_2_004292C0 3_2_004292C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 3_2_004012D5 3_2_004012D5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 3_2_004392F0 3_2_004392F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 3_2_00442350 3_2_00442350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 3_2_0043A300 3_2_0043A300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 3_2_00441322 3_2_00441322
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 3_2_00401328 3_2_00401328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 3_2_0042F339 3_2_0042F339
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 3_2_004263EF 3_2_004263EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 3_2_00405470 3_2_00405470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 3_2_004124A9 3_2_004124A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 3_2_004074B0 3_2_004074B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 3_2_00421500 3_2_00421500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 3_2_0040A5D0 3_2_0040A5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 3_2_0040B640 3_2_0040B640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 3_2_004226F0 3_2_004226F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 3_2_00430698 3_2_00430698
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 3_2_0043A6B0 3_2_0043A6B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 3_2_0041F860 3_2_0041F860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 3_2_00428807 3_2_00428807
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 3_2_0041683E 3_2_0041683E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 3_2_004038E0 3_2_004038E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 3_2_00408890 3_2_00408890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 3_2_0042B8A0 3_2_0042B8A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 3_2_00444930 3_2_00444930
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 3_2_0042C9C0 3_2_0042C9C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 3_2_004379F9 3_2_004379F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 3_2_0042AA65 3_2_0042AA65
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 3_2_0042FA6E 3_2_0042FA6E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 3_2_00426A12 3_2_00426A12
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 3_2_00441A90 3_2_00441A90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 3_2_00427B13 3_2_00427B13
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 3_2_0040AB20 3_2_0040AB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 3_2_0042EBC1 3_2_0042EBC1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 3_2_0041DBCE 3_2_0041DBCE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 3_2_00432BD0 3_2_00432BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 3_2_00420C10 3_2_00420C10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 3_2_00430C1E 3_2_00430C1E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 3_2_0042CC8A 3_2_0042CC8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 3_2_00426D48 3_2_00426D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 3_2_00425D50 3_2_00425D50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 3_2_00426D60 3_2_00426D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 3_2_0040CDD0 3_2_0040CDD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 3_2_00422D80 3_2_00422D80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 3_2_00421D90 3_2_00421D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 3_2_00433D95 3_2_00433D95
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 3_2_0040DE20 3_2_0040DE20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 3_2_00432E30 3_2_00432E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 3_2_00407EF0 3_2_00407EF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 3_2_0042AE82 3_2_0042AE82
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 3_2_00441E90 3_2_00441E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 3_2_00429F40 3_2_00429F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 3_2_00426F50 3_2_00426F50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 3_2_00437F7A 3_2_00437F7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 3_2_0042BF7F 3_2_0042BF7F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: String function: 0040CBE0 appears 75 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: String function: 0041CB50 appears 172 times
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Code function: String function: 00F687DB appears 58 times
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Code function: String function: 00F59710 appears 44 times
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Code function: String function: 00F52290 appears 194 times
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Code function: String function: 00F5A140 appears 102 times
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Code function: String function: 00F52340 appears 86 times
Source: ceFgl3jkkk.exe, 00000000.00000003.1498477157.00000000006CD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_ssl.pyd. vs ceFgl3jkkk.exe
Source: ceFgl3jkkk.exe, 00000000.00000003.1498335139.00000000006CD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_socket.pyd. vs ceFgl3jkkk.exe
Source: ceFgl3jkkk.exe, 00000000.00000003.1497263952.00000000006CD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_decimal.pyd. vs ceFgl3jkkk.exe
Source: ceFgl3jkkk.exe, 00000000.00000003.1500128542.00000000006CD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamepyexpat.pyd. vs ceFgl3jkkk.exe
Source: ceFgl3jkkk.exe, 00000000.00000003.1497870502.00000000006CD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_lzma.pyd. vs ceFgl3jkkk.exe
Source: ceFgl3jkkk.exe, 00000000.00000003.1499874700.00000000006CD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamelibsslH vs ceFgl3jkkk.exe
Source: ceFgl3jkkk.exe, 00000000.00000003.1502556218.00000000006CD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameselect.pyd. vs ceFgl3jkkk.exe
Source: ceFgl3jkkk.exe, 00000000.00000003.1502779320.00000000006CD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameunicodedata.pyd. vs ceFgl3jkkk.exe
Source: ceFgl3jkkk.exe, 00000000.00000003.1498125097.00000000006CD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_overlapped.pyd. vs ceFgl3jkkk.exe
Source: ceFgl3jkkk.exe, 00000000.00000003.1498233789.00000000006CD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_queue.pyd. vs ceFgl3jkkk.exe
Source: ceFgl3jkkk.exe, 00000000.00000003.1496897214.00000000006CD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_bz2.pyd. vs ceFgl3jkkk.exe
Source: ceFgl3jkkk.exe, 00000000.00000003.1498682200.00000000006CD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_uuid.pyd. vs ceFgl3jkkk.exe
Source: ceFgl3jkkk.exe, 00000000.00000003.1502779320.00000000006D6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameunicodedata.pyd. vs ceFgl3jkkk.exe
Source: ceFgl3jkkk.exe, 00000000.00000003.1495979955.00000000006CD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamevcruntime140.dllT vs ceFgl3jkkk.exe
Source: ceFgl3jkkk.exe, 00000000.00000003.1497059480.00000000006CD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_ctypes.pyd. vs ceFgl3jkkk.exe
Source: ceFgl3jkkk.exe, 00000000.00000003.1498027498.00000000006CD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_multiprocessing.pyd. vs ceFgl3jkkk.exe
Source: ceFgl3jkkk.exe, 00000000.00000003.1496140740.00000000006CD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_asyncio.pyd. vs ceFgl3jkkk.exe
Source: ceFgl3jkkk.exe, 00000000.00000003.1497503094.00000000006CD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_hashlib.pyd. vs ceFgl3jkkk.exe
Source: ceFgl3jkkk.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: classification engine Classification label: mal100.troj.evad.winEXE@5/21@11/2
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Code function: 0_2_00F565B0 GetLastError,FormatMessageW, 0_2_00F565B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 3_2_00439BF0 CoCreateInstance,CoCreateInstance, 3_2_00439BF0
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe File created: C:\Users\user\AppData\Local\Temp\_MEI8242 Jump to behavior
Source: ceFgl3jkkk.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: ceFgl3jkkk.exe ReversingLabs: Detection: 44%
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe File read: C:\Users\user\Desktop\ceFgl3jkkk.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\ceFgl3jkkk.exe "C:\Users\user\Desktop\ceFgl3jkkk.exe"
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Process created: C:\Users\user\Desktop\ceFgl3jkkk.exe "C:\Users\user\Desktop\ceFgl3jkkk.exe"
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\ngentask.exe
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Process created: C:\Users\user\Desktop\ceFgl3jkkk.exe "C:\Users\user\Desktop\ceFgl3jkkk.exe" Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\ngentask.exe Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Section loaded: python3.dll Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Section loaded: libffi-7.dll Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Section loaded: libcrypto-1_1.dll Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe File opened: C:\Users\user\Desktop\pyvenv.cfg Jump to behavior
Source: ceFgl3jkkk.exe Static file information: File size 7166290 > 1048576
Source: ceFgl3jkkk.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: ceFgl3jkkk.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: ceFgl3jkkk.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: ceFgl3jkkk.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: ceFgl3jkkk.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: ceFgl3jkkk.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: ceFgl3jkkk.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: ceFgl3jkkk.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: D:\a\1\b\bin\win32\_multiprocessing.pdb source: ceFgl3jkkk.exe, 00000000.00000003.1498027498.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, _multiprocessing.pyd.0.dr
Source: Binary string: D:\a\1\b\bin\win32\_uuid.pdb source: ceFgl3jkkk.exe, 00000000.00000003.1498682200.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, _uuid.pyd.0.dr
Source: Binary string: D:\a\1\b\bin\win32\_decimal.pdb%% source: ceFgl3jkkk.exe, 00000000.00000003.1497263952.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, _decimal.pyd.0.dr
Source: Binary string: D:\a\1\b\bin\win32\_lzma.pdbOO source: ceFgl3jkkk.exe, 00000000.00000003.1497870502.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, _lzma.pyd.0.dr
Source: Binary string: D:\_w\1\b\libssl-1_1.pdb source: libssl-1_1.dll.0.dr
Source: Binary string: D:\a\1\b\bin\win32\_ssl.pdb source: _ssl.pyd.0.dr
Source: Binary string: D:\_w\1\b\libssl-1_1.pdbAA source: libssl-1_1.dll.0.dr
Source: Binary string: D:\a\1\b\bin\win32\_lzma.pdb source: ceFgl3jkkk.exe, 00000000.00000003.1497870502.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, _lzma.pyd.0.dr
Source: Binary string: D:\a\1\b\bin\win32\_queue.pdb source: ceFgl3jkkk.exe, 00000000.00000003.1498233789.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, _queue.pyd.0.dr
Source: Binary string: d:\a01\_work\2\s\\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: VCRUNTIME140.dll.0.dr
Source: Binary string: D:\a\1\b\bin\win32\_overlapped.pdb source: ceFgl3jkkk.exe, 00000000.00000003.1498125097.00000000006CD000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\1\b\bin\win32\pyexpat.pdb source: ceFgl3jkkk.exe, 00000000.00000003.1500128542.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, pyexpat.pyd.0.dr
Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC source: libcrypto-1_1.dll.0.dr
Source: Binary string: D:\a\1\b\bin\win32\_bz2.pdb source: ceFgl3jkkk.exe, 00000000.00000003.1496897214.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, _bz2.pyd.0.dr
Source: Binary string: D:\a\1\b\bin\win32\select.pdb source: ceFgl3jkkk.exe, 00000000.00000003.1502556218.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr
Source: Binary string: D:\a\1\b\bin\win32\_ctypes.pdb source: ceFgl3jkkk.exe, 00000000.00000003.1497059480.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, _ctypes.pyd.0.dr
Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PICOpenSSL 1.1.1l 24 Aug 2021built on: Thu Aug 26 18:55:02 2021 UTCplatform: VC-WIN32OPENSSLDIR: "C:\Program Files (x86)\Common Files\SSL"ENGINESDIR: "C:\Program Files (x86)\OpenSSL\lib\engines-1_1"not available source: libcrypto-1_1.dll.0.dr
Source: Binary string: D:\a\1\b\bin\win32\python39.pdb source: python39.dll.0.dr
Source: Binary string: D:\a\1\b\bin\win32\_asyncio.pdb source: ceFgl3jkkk.exe, 00000000.00000003.1496140740.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, _asyncio.pyd.0.dr
Source: Binary string: D:\a\1\b\bin\win32\_decimal.pdb source: ceFgl3jkkk.exe, 00000000.00000003.1497263952.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, _decimal.pyd.0.dr
Source: Binary string: D:\a\1\b\bin\win32\_hashlib.pdb source: ceFgl3jkkk.exe, 00000000.00000003.1497503094.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, _hashlib.pyd.0.dr
Source: Binary string: D:\a\1\b\bin\win32\unicodedata.pdb source: ceFgl3jkkk.exe, 00000000.00000003.1502779320.00000000006D6000.00000004.00000020.00020000.00000000.sdmp, unicodedata.pyd.0.dr
Source: Binary string: D:\a\1\b\bin\win32\_socket.pdb source: ceFgl3jkkk.exe, 00000000.00000003.1498335139.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, _socket.pyd.0.dr
Source: Binary string: D:\_w\1\b\libcrypto-1_1.pdb source: libcrypto-1_1.dll.0.dr
Source: ceFgl3jkkk.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: ceFgl3jkkk.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: ceFgl3jkkk.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: ceFgl3jkkk.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: ceFgl3jkkk.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: libcrypto-1_1.dll.0.dr Static PE information: section name: .00cfg
Source: libssl-1_1.dll.0.dr Static PE information: section name: .00cfg
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 3_2_00449B66 push ds; iretd 3_2_00449B83
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 3_2_00416BE0 pushad ; mov dword ptr [esp], eax 3_2_00416BEA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 3_2_00449C02 push F38BE726h; iretd 3_2_00449C16

Persistence and Installation Behavior

barindex
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Process created: "C:\Users\user\Desktop\ceFgl3jkkk.exe"
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe File created: C:\Users\user\AppData\Local\Temp\_MEI8242\_uuid.pyd Jump to dropped file
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe File created: C:\Users\user\AppData\Local\Temp\_MEI8242\python39.dll Jump to dropped file
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe File created: C:\Users\user\AppData\Local\Temp\_MEI8242\_lzma.pyd Jump to dropped file
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe File created: C:\Users\user\AppData\Local\Temp\_MEI8242\_overlapped.pyd Jump to dropped file
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe File created: C:\Users\user\AppData\Local\Temp\_MEI8242\VCRUNTIME140.dll Jump to dropped file
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe File created: C:\Users\user\AppData\Local\Temp\_MEI8242\libcrypto-1_1.dll Jump to dropped file
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe File created: C:\Users\user\AppData\Local\Temp\_MEI8242\_queue.pyd Jump to dropped file
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe File created: C:\Users\user\AppData\Local\Temp\_MEI8242\pyexpat.pyd Jump to dropped file
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe File created: C:\Users\user\AppData\Local\Temp\_MEI8242\_ctypes.pyd Jump to dropped file
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe File created: C:\Users\user\AppData\Local\Temp\_MEI8242\libssl-1_1.dll Jump to dropped file
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe File created: C:\Users\user\AppData\Local\Temp\_MEI8242\_bz2.pyd Jump to dropped file
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe File created: C:\Users\user\AppData\Local\Temp\_MEI8242\_asyncio.pyd Jump to dropped file
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe File created: C:\Users\user\AppData\Local\Temp\_MEI8242\_decimal.pyd Jump to dropped file
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe File created: C:\Users\user\AppData\Local\Temp\_MEI8242\_ssl.pyd Jump to dropped file
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe File created: C:\Users\user\AppData\Local\Temp\_MEI8242\_multiprocessing.pyd Jump to dropped file
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe File created: C:\Users\user\AppData\Local\Temp\_MEI8242\select.pyd Jump to dropped file
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe File created: C:\Users\user\AppData\Local\Temp\_MEI8242\unicodedata.pyd Jump to dropped file
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe File created: C:\Users\user\AppData\Local\Temp\_MEI8242\_hashlib.pyd Jump to dropped file
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe File created: C:\Users\user\AppData\Local\Temp\_MEI8242\libffi-7.dll Jump to dropped file
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe File created: C:\Users\user\AppData\Local\Temp\_MEI8242\_socket.pyd Jump to dropped file
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Code function: 0_2_00F55270 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00F55270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI8242\_uuid.pyd Jump to dropped file
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI8242\python39.dll Jump to dropped file
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI8242\_overlapped.pyd Jump to dropped file
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI8242\_lzma.pyd Jump to dropped file
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI8242\_queue.pyd Jump to dropped file
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI8242\pyexpat.pyd Jump to dropped file
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI8242\_ctypes.pyd Jump to dropped file
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI8242\libssl-1_1.dll Jump to dropped file
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI8242\_bz2.pyd Jump to dropped file
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI8242\_asyncio.pyd Jump to dropped file
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI8242\_decimal.pyd Jump to dropped file
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI8242\_ssl.pyd Jump to dropped file
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI8242\_multiprocessing.pyd Jump to dropped file
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI8242\select.pyd Jump to dropped file
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI8242\unicodedata.pyd Jump to dropped file
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI8242\_hashlib.pyd Jump to dropped file
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI8242\_socket.pyd Jump to dropped file
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe API coverage: 7.2 %
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe TID: 5948 Thread sleep time: -120000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe TID: 6080 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Code function: 0_2_00F603E2 FindFirstFileExW,GetLastError,FindNextFileW,GetLastError, 0_2_00F603E2
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Code function: 0_2_00F699B3 FindFirstFileExW, 0_2_00F699B3
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Code function: 2_2_00F699B3 FindFirstFileExW, 2_2_00F699B3
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Code function: 2_2_00F603E2 FindFirstFileExW,GetLastError,FindNextFileW,GetLastError, 2_2_00F603E2
Source: ngentask.exe, 00000003.00000002.1613322725.0000000001347000.00000004.00000020.00020000.00000000.sdmp, ngentask.exe, 00000003.00000002.1613155400.00000000012ED000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: ceFgl3jkkk.exe, 00000002.00000002.1547337183.0000000000DDE000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000003.1544241363.0000000000DDC000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000003.1517209000.0000000000DDC000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000003.1546386874.0000000000DDD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Code function: 3_2_00440600 LdrInitializeThunk, 3_2_00440600
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Code function: 0_2_00F63987 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00F63987
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Code function: 0_2_00F6A500 mov eax, dword ptr fs:[00000030h] 0_2_00F6A500
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Code function: 0_2_00F627A5 mov eax, dword ptr fs:[00000030h] 0_2_00F627A5
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Code function: 2_2_00F6A500 mov eax, dword ptr fs:[00000030h] 2_2_00F6A500
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Code function: 2_2_00F627A5 mov eax, dword ptr fs:[00000030h] 2_2_00F627A5
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Code function: 0_2_00F6AD03 GetProcessHeap, 0_2_00F6AD03
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Code function: 0_2_00F5A075 SetUnhandledExceptionFilter, 0_2_00F5A075
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Code function: 0_2_00F63987 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00F63987
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Code function: 0_2_00F59986 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00F59986
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Code function: 0_2_00F59EE1 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00F59EE1
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Code function: 2_2_00F5A075 SetUnhandledExceptionFilter, 2_2_00F5A075
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Code function: 2_2_00F63987 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_00F63987
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Code function: 2_2_00F59986 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_00F59986
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Code function: 2_2_00F59EE1 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_00F59EE1

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: ceFgl3jkkk.exe, 00000002.00000003.1532103299.0000000009C8B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: drawwyobstacw.sbs
Source: ceFgl3jkkk.exe, 00000002.00000003.1532103299.0000000009C8B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: condifendteu.sbs
Source: ceFgl3jkkk.exe, 00000002.00000003.1532103299.0000000009C8B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ehticsprocw.sbs
Source: ceFgl3jkkk.exe, 00000002.00000003.1532103299.0000000009C8B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: vennurviot.sbs
Source: ceFgl3jkkk.exe, 00000002.00000003.1532103299.0000000009C8B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: resinedyw.sbs
Source: ceFgl3jkkk.exe, 00000002.00000003.1532103299.0000000009C8B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: enlargkiw.sbs
Source: ceFgl3jkkk.exe, 00000002.00000003.1532103299.0000000009C8B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: allocatinow.sbs
Source: ceFgl3jkkk.exe, 00000002.00000003.1532103299.0000000009C8B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: mathcucom.sbs
Source: ceFgl3jkkk.exe, 00000002.00000003.1532103299.0000000009C8B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: droppyrelivei.cfd
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe base: 445000 Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe base: 448000 Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe base: 458000 Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe base: EA6008 Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Process created: C:\Users\user\Desktop\ceFgl3jkkk.exe "C:\Users\user\Desktop\ceFgl3jkkk.exe" Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\ngentask.exe Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Code function: 0_2_00F5A185 cpuid 0_2_00F5A185
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Queries volume information: C:\Users\user\Desktop\ceFgl3jkkk.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Queries volume information: C:\Users\user\Desktop\ceFgl3jkkk.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Queries volume information: C:\Users\user\Desktop VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Queries volume information: C:\Users\user\Desktop\ceFgl3jkkk.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Queries volume information: C:\Users\user\Desktop\ceFgl3jkkk.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Queries volume information: C:\Users\user\Desktop\ceFgl3jkkk.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Queries volume information: C:\Users\user\Desktop\ceFgl3jkkk.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\_ctypes.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Queries volume information: C:\Users\user\Desktop\ceFgl3jkkk.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Queries volume information: C:\Users\user\Desktop\ceFgl3jkkk.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Queries volume information: C:\Users\user\Desktop\ceFgl3jkkk.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Queries volume information: C:\Users\user\Desktop\ceFgl3jkkk.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Queries volume information: C:\Users\user\Desktop\ceFgl3jkkk.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Queries volume information: C:\Users\user\Desktop\ceFgl3jkkk.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Queries volume information: C:\Users\user\Desktop\ceFgl3jkkk.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Queries volume information: C:\Users\user\Desktop\ceFgl3jkkk.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Queries volume information: C:\Users\user\Desktop\ceFgl3jkkk.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Queries volume information: C:\Users\user\Desktop\ceFgl3jkkk.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Queries volume information: C:\Users\user\Desktop\ceFgl3jkkk.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Queries volume information: C:\Users\user\Desktop\ceFgl3jkkk.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Queries volume information: C:\Users\user\Desktop\ceFgl3jkkk.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Queries volume information: C:\Users\user\Desktop\ceFgl3jkkk.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Queries volume information: C:\Users\user\Desktop\ceFgl3jkkk.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Queries volume information: C:\Users\user\Desktop\ceFgl3jkkk.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\_socket.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Queries volume information: C:\Users\user\Desktop\ceFgl3jkkk.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\select.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Queries volume information: C:\Users\user\Desktop\ceFgl3jkkk.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Queries volume information: C:\Users\user\Desktop\ceFgl3jkkk.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Queries volume information: C:\Users\user\Desktop\ceFgl3jkkk.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Queries volume information: C:\Users\user\Desktop\ceFgl3jkkk.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Queries volume information: C:\Users\user\Desktop\ceFgl3jkkk.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Queries volume information: C:\Users\user\Desktop\ceFgl3jkkk.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Queries volume information: C:\Users\user\Desktop\ceFgl3jkkk.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Queries volume information: C:\Users\user\Desktop\ceFgl3jkkk.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Queries volume information: C:\Users\user\Desktop\ceFgl3jkkk.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Queries volume information: C:\Users\user\Desktop\ceFgl3jkkk.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Queries volume information: C:\Users\user\Desktop\ceFgl3jkkk.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Queries volume information: C:\Users\user\Desktop\ceFgl3jkkk.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\_uuid.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Queries volume information: C:\Users\user\Desktop\ceFgl3jkkk.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\_hashlib.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Queries volume information: C:\Users\user\Desktop\ceFgl3jkkk.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Queries volume information: C:\Users\user\Desktop\ceFgl3jkkk.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Queries volume information: C:\Users\user\Desktop\ceFgl3jkkk.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Code function: 0_2_00F59DD4 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00F59DD4
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Code function: 0_2_00F6D933 _free,GetTimeZoneInformation,_free, 0_2_00F6D933
Source: C:\Users\user\Desktop\ceFgl3jkkk.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information

barindex
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

barindex
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs