Windows Analysis Report
bcLKBiuPHu.exe

Overview

General Information

Sample name: bcLKBiuPHu.exe
renamed because original name is a hash value
Original sample name: c13c6923bd8eab75c07640ad362833787d78a005577f8d5e32927139df8e2cd0.exe
Analysis ID: 1500523
MD5: 667ead6e36314bd21b1fa1fb9f1960b6
SHA1: b14ecebb5df15c8ab0f11663d419c2ccb1944760
SHA256: c13c6923bd8eab75c07640ad362833787d78a005577f8d5e32927139df8e2cd0
Tags: AdvancedPersistentThreatexe
Infos:

Detection

Score: 39
Range: 0 - 100
Whitelisted: false
Confidence: 0%

Signatures

Antivirus detection for URL or domain
Found pyInstaller with non standard icon
AV process strings found (often used to terminate AV products)
Binary contains a suspicious time stamp
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Creates a process in suspended mode (likely to inject code)
Drops PE files
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Antivirus detection for URL or domain
Source: https://github.com/BrowserCompanyLLC/-12/releases/download/semtag/Cloud.bat Avira URL Cloud: Label: malware
Uses 32bit PE files
Source: bcLKBiuPHu.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: bcLKBiuPHu.exe Static PE information: certificate valid
Source: bcLKBiuPHu.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: gcapi_dll.dll.pdb| source: bcLKBiuPHu.exe, 00000000.00000002.1333966196.0000000001257000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000002.1324019828.0000000001257000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: BTR.pdbGCTL source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: MpGear.pdb source: bcLKBiuPHu.exe, 00000000.00000002.1333966196.0000000001257000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000002.1324019828.0000000001257000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: KSLD.pdb source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: KSLDriver.pdbGCTL source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: D:\a\1\b\bin\win32\_decimal.pdb%% source: bcLKBiuPHu.exe, 00000000.00000003.1238747954.000000000642C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: MsMpEngCP.pdb source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: D:\a\1\b\bin\win32\_lzma.pdbOO source: bcLKBiuPHu.exe, 00000000.00000003.1239142078.000000000642C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: BTR.pdb source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: mpengine.pdb source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: D:\a\1\b\bin\win32\_queue.pdb source: bcLKBiuPHu.exe, 00000000.00000003.1239275348.000000000642C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\1\b\bin\win32\_lzma.pdb source: bcLKBiuPHu.exe, 00000000.00000003.1239142078.000000000642C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: MsMpEngCP.pdbGCTL source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: gcapi_dll.dll.pdb source: bcLKBiuPHu.exe, 00000000.00000002.1333966196.0000000001257000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000002.1324019828.0000000001257000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: mpengine.pdbOGPS source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: KSLDriver.pdb source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: offreg.pdbH source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: D:\a\1\b\bin\win32\_bz2.pdb source: bcLKBiuPHu.exe, 00000000.00000003.1238533849.000000000642C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\1\b\bin\win32\select.pdb source: bcLKBiuPHu.exe, 00000000.00000003.1244326319.000000000642E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: MsMpEngSvc.pdb source: bcLKBiuPHu.exe, 00000000.00000002.1333966196.0000000001257000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000002.1324019828.0000000001257000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: D:\a\1\b\bin\win32\_decimal.pdb source: bcLKBiuPHu.exe, 00000000.00000003.1238747954.000000000642C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\1\b\bin\win32\_hashlib.pdb source: bcLKBiuPHu.exe, 00000000.00000003.1238964960.000000000642C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: MsMpEngSvc.pdbGCTL source: bcLKBiuPHu.exe, 00000000.00000002.1333966196.0000000001257000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000002.1324019828.0000000001257000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: KSLD.pdbGCTL source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: offreg.pdb source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: D:\a\1\b\bin\win32\unicodedata.pdb source: bcLKBiuPHu.exe, 00000000.00000003.1244614120.0000000006439000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: MpGear.pdbGCTL source: bcLKBiuPHu.exe, 00000000.00000002.1333966196.0000000001257000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000002.1324019828.0000000001257000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: D:\a\1\b\bin\win32\_socket.pdb source: bcLKBiuPHu.exe, 00000000.00000003.1239360047.000000000642C000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe File opened: C:\Users\user~1\AppData\Local\Temp\_MEI63002\ Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe File opened: C:\Users\user~1\AppData\Local\Temp\_MEI63002\certifi\ Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe File opened: C:\Users\user~1\ Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe File opened: C:\Users\user~1\AppData\Local\Temp\_MEI63002\certifi\cacert.pem Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe File opened: C:\Users\user~1\AppData\Local\ Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe File opened: C:\Users\user~1\AppData\ Jump to behavior
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 140.82.121.4 140.82.121.4
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: github.com
Source: bcLKBiuPHu.exe, 00000003.00000003.1314799727.0000000008B00000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://.../back.jpeg
Source: bcLKBiuPHu.exe, 00000000.00000000.1233156408.0000000000C59000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000000.1252684085.0000000000C59000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://.ocx.cabhtml:file::LowTelemetry
Source: bcLKBiuPHu.exe, 00000000.00000003.1238533849.000000000642C000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1238747954.000000000642C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.coZ
Source: bcLKBiuPHu.exe, 00000000.00000003.1244326319.000000000642E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1244614120.0000000006439000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1238533849.000000000642C000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000002.1333966196.0000000001257000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1242027207.000000000642E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1239275348.000000000642C000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1242754558.000000000642E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1238747954.000000000642C000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1241117223.000000000642E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000002.1337076500.0000000006429000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1244614120.000000000642E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1239360047.000000000642C000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1238964960.000000000642C000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1241117223.0000000006438000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1239142078.000000000642C000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1239459058.000000000642C000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1333467486.0000000006429000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000002.1324019828.0000000001257000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: bcLKBiuPHu.exe, 00000000.00000003.1244326319.000000000642E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1238533849.000000000642C000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000002.1333966196.0000000001257000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1242027207.000000000642E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1239275348.000000000642C000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1242754558.000000000642E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1238747954.000000000642C000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1241117223.000000000642E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1244614120.000000000642E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1239360047.000000000642C000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1238964960.000000000642C000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1241117223.0000000006438000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1239142078.000000000642C000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1239459058.000000000642C000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000002.1324019828.0000000001257000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: bcLKBiuPHu.exe, 00000000.00000003.1244326319.000000000642E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1238533849.000000000642C000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000002.1333966196.0000000001257000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1242027207.000000000642E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1239275348.000000000642C000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1242754558.000000000642E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1238747954.000000000642C000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1241117223.000000000642E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1244614120.000000000642E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1239360047.000000000642C000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1238964960.000000000642C000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1241117223.0000000006438000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1239142078.000000000642C000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1239459058.000000000642C000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000002.1324019828.0000000001257000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: bcLKBiuPHu.exe, 00000000.00000003.1244326319.000000000642E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1244614120.0000000006439000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1238533849.000000000642C000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000002.1333966196.0000000001257000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1242027207.000000000642E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1239275348.000000000642C000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1242754558.000000000642E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1238747954.000000000642C000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1241117223.000000000642E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1244614120.000000000642E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1239360047.000000000642C000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1238964960.000000000642C000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1241117223.0000000006438000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1239142078.000000000642C000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1239459058.000000000642C000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000002.1324019828.0000000001257000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: bcLKBiuPHu.exe, 00000003.00000003.1305121391.0000000008950000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1305400557.0000000008982000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1305378289.00000000089A5000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1305605705.0000000008982000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1305270796.0000000008975000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1303734235.000000000892E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1305543531.00000000089A6000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1305655841.0000000008986000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1305302869.0000000008981000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1305820390.000000000898D000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1305236312.0000000008964000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.certigna.fr/certignarootca.crl01
Source: bcLKBiuPHu.exe, 00000003.00000003.1303734235.000000000892E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1306585549.000000000892E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1310455367.000000000892E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1318001972.000000000893E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1307739581.000000000892E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1312460362.000000000892E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1303394012.000000000637C000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1311527971.000000000637D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: bcLKBiuPHu.exe, 00000003.00000003.1318560773.0000000008940000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1303734235.000000000892E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1306585549.000000000892E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1310455367.000000000892E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1318001972.000000000893E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1307739581.000000000892E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1312460362.000000000892E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl
Source: bcLKBiuPHu.exe, 00000003.00000003.1303394012.000000000637C000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1311527971.000000000637D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crls
Source: bcLKBiuPHu.exe, 00000003.00000003.1305121391.0000000008950000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1305400557.0000000008982000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1305378289.00000000089A5000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1305605705.0000000008982000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1305270796.0000000008975000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1303734235.000000000892E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1305543531.00000000089A6000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1305655841.0000000008986000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1305302869.0000000008981000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1305820390.000000000898D000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1305236312.0000000008964000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.dhimyotis.com/certignarootca.crl
Source: bcLKBiuPHu.exe, 00000003.00000003.1305121391.0000000008950000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1305400557.0000000008982000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1305605705.0000000008982000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1305270796.0000000008975000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1303734235.000000000892E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1305655841.0000000008986000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1305302869.0000000008981000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1305820390.000000000898D000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1305236312.0000000008964000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.dhimyotis.com/certignarootca.crln
Source: bcLKBiuPHu.exe, 00000003.00000003.1303734235.000000000892E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1306585549.000000000892E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1310455367.000000000892E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1318001972.000000000893E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1307739581.000000000892E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1312460362.000000000892E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1318121001.0000000008942000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.securetrust.com/SGCA.crl
Source: bcLKBiuPHu.exe, 00000003.00000003.1303253961.00000000088DC000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1307855542.000000000890F000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1303473001.000000000890B000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1302847391.00000000088BC000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1305159281.000000000890C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.securetrust.com/SGCA.crl0
Source: bcLKBiuPHu.exe, 00000003.00000003.1303734235.000000000892E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1306585549.000000000892E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1310455367.000000000892E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1318001972.000000000893E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1307739581.000000000892E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1312460362.000000000892E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1318121001.0000000008942000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.securetrust.com/STCA.crl
Source: bcLKBiuPHu.exe, 00000003.00000003.1303253961.00000000088DC000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1307855542.000000000890F000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1303473001.000000000890B000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1302847391.00000000088BC000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1305159281.000000000890C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: bcLKBiuPHu.exe, 00000003.00000003.1303734235.000000000892E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1306585549.000000000892E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1310455367.000000000892E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1318001972.000000000893E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1307739581.000000000892E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1312460362.000000000892E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1318121001.0000000008942000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl
Source: bcLKBiuPHu.exe, 00000003.00000003.1303394012.000000000637C000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1311527971.000000000637D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: bcLKBiuPHu.exe, 00000003.00000003.1303734235.000000000892E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1306585549.000000000892E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1310455367.000000000892E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1318001972.000000000893E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1307739581.000000000892E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1312460362.000000000892E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1318121001.0000000008942000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crlwo
Source: bcLKBiuPHu.exe, 00000000.00000003.1244326319.000000000642E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1244614120.0000000006439000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1238533849.000000000642C000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000002.1333966196.0000000001257000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1242027207.000000000642E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1239275348.000000000642C000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1242754558.000000000642E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1238747954.000000000642C000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1241117223.000000000642E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000002.1337076500.0000000006429000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1244614120.000000000642E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1239360047.000000000642C000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1238964960.000000000642C000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1241117223.0000000006438000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1239142078.000000000642C000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1239459058.000000000642C000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1333467486.0000000006429000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000002.1324019828.0000000001257000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: bcLKBiuPHu.exe, 00000000.00000003.1244326319.000000000642E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1238533849.000000000642C000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000002.1333966196.0000000001257000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1242027207.000000000642E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1239275348.000000000642C000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1242754558.000000000642E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1238747954.000000000642C000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1241117223.000000000642E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1244614120.000000000642E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1239360047.000000000642C000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1238964960.000000000642C000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1241117223.0000000006438000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1239142078.000000000642C000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1239459058.000000000642C000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000002.1324019828.0000000001257000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: bcLKBiuPHu.exe, 00000000.00000003.1244326319.000000000642E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1238533849.000000000642C000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000002.1333966196.0000000001257000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1242027207.000000000642E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1239275348.000000000642C000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1242754558.000000000642E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1238747954.000000000642C000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1241117223.000000000642E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1244614120.000000000642E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1239360047.000000000642C000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1238964960.000000000642C000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1241117223.0000000006438000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1239142078.000000000642C000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1239459058.000000000642C000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000002.1324019828.0000000001257000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: bcLKBiuPHu.exe, 00000000.00000003.1241117223.000000000642E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.c
Source: bcLKBiuPHu.exe, 00000003.00000002.1324019828.0000000001257000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: bcLKBiuPHu.exe, 00000000.00000003.1244326319.000000000642E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1238533849.000000000642C000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000002.1333966196.0000000001257000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1242027207.000000000642E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1239275348.000000000642C000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1242754558.000000000642E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1238747954.000000000642C000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1241117223.000000000642E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1244614120.000000000642E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1239360047.000000000642C000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1238964960.000000000642C000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1241117223.0000000006438000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1239142078.000000000642C000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1239459058.000000000642C000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000002.1324019828.0000000001257000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: bcLKBiuPHu.exe, 00000003.00000003.1268981543.00000000088DA000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1269519670.0000000008881000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1269708691.00000000088DA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://curl.haxx.se/rfc/cookie_spec.html
Source: bcLKBiuPHu.exe, 00000000.00000002.1333966196.0000000001257000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000002.1324019828.0000000001257000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest
Source: bcLKBiuPHu.exe, 00000000.00000002.1333966196.0000000001257000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000002.1324019828.0000000001257000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: bcLKBiuPHu.exe, 00000003.00000003.1307501288.00000000084B0000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1308228551.00000000084B3000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000002.1332593026.00000000084B6000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1307937354.00000000084B0000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1309401356.00000000084B4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://google.com/
Source: bcLKBiuPHu.exe, 00000003.00000003.1307646693.0000000006368000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1307408360.000000000635A000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1304077858.000000000633F000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1309077803.0000000006374000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://google.com/mail/
Source: bcLKBiuPHu.exe, 00000003.00000003.1315075445.00000000083F1000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1307501288.00000000084B0000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1308228551.00000000084B3000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1309336493.00000000083EC000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1313374138.00000000084B0000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1308264774.00000000083E6000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000002.1332593026.00000000084B0000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1307501288.00000000083E3000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1314158702.00000000083EF000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1314872948.00000000084B0000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1307937354.00000000084B0000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000002.1332191108.00000000083F3000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1315625084.00000000084B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535
Source: bcLKBiuPHu.exe, 00000000.00000002.1333966196.0000000001257000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000002.1324019828.0000000001257000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://iptc.org/std/Iptc4xmpExt/2008-02-29/
Source: bcLKBiuPHu.exe, 00000000.00000002.1333966196.0000000001257000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000002.1324019828.0000000001257000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://ns.useplus.org/ldf/xmp/1.0/
Source: bcLKBiuPHu.exe, 00000003.00000003.1312460362.000000000892E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.accv.es
Source: bcLKBiuPHu.exe, 00000003.00000003.1305121391.0000000008950000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1305400557.0000000008976000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1305270796.0000000008975000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1303734235.000000000892E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1305236312.0000000008964000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.accv.es0
Source: bcLKBiuPHu.exe, 00000000.00000003.1244326319.000000000642E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1238533849.000000000642C000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000002.1333966196.0000000001257000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1242027207.000000000642E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1239275348.000000000642C000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1242754558.000000000642E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1238747954.000000000642C000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1241117223.000000000642E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1244614120.000000000642E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1239360047.000000000642C000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1238964960.000000000642C000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1241117223.0000000006438000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1239142078.000000000642C000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1239459058.000000000642C000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000002.1324019828.0000000001257000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: bcLKBiuPHu.exe, 00000000.00000003.1244326319.000000000642E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1244614120.0000000006439000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1238533849.000000000642C000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000002.1333966196.0000000001257000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1242027207.000000000642E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1239275348.000000000642C000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1242754558.000000000642E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1238747954.000000000642C000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1241117223.000000000642E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1244614120.000000000642E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1239360047.000000000642C000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1238964960.000000000642C000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1241117223.0000000006438000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1239142078.000000000642C000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1239459058.000000000642C000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000002.1324019828.0000000001257000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://ocsp.digicert.com0A
Source: bcLKBiuPHu.exe, 00000000.00000003.1244326319.000000000642E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1244614120.0000000006439000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1238533849.000000000642C000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000002.1333966196.0000000001257000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1242027207.000000000642E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1239275348.000000000642C000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1242754558.000000000642E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1238747954.000000000642C000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1241117223.000000000642E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000002.1337076500.0000000006429000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1244614120.000000000642E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1239360047.000000000642C000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1238964960.000000000642C000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1241117223.0000000006438000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1239142078.000000000642C000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1239459058.000000000642C000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1333467486.0000000006429000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000002.1324019828.0000000001257000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://ocsp.digicert.com0C
Source: bcLKBiuPHu.exe, 00000000.00000003.1244326319.000000000642E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1238533849.000000000642C000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000002.1333966196.0000000001257000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1242027207.000000000642E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1239275348.000000000642C000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1242754558.000000000642E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1238747954.000000000642C000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1241117223.000000000642E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1244614120.000000000642E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1239360047.000000000642C000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1238964960.000000000642C000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1241117223.0000000006438000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1239142078.000000000642C000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1239459058.000000000642C000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000002.1324019828.0000000001257000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://ocsp.digicert.com0X
Source: bcLKBiuPHu.exe, 00000003.00000003.1312460362.000000000892E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1305400557.0000000008952000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://repository.swisssign.com/
Source: bcLKBiuPHu.exe, 00000003.00000003.1305121391.0000000008950000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1303734235.000000000892E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1305400557.0000000008952000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://repository.swisssign.com//0
Source: bcLKBiuPHu.exe, 00000000.00000002.1333966196.0000000001257000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000002.1324019828.0000000001257000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: bcLKBiuPHu.exe, 00000003.00000003.1314834806.0000000008790000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://tools.ietf.org/html/rfc6125#section-6.4.3
Source: bcLKBiuPHu.exe, 00000003.00000003.1305121391.0000000008950000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1305400557.0000000008976000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1305270796.0000000008975000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1303734235.000000000892E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1306585549.000000000892E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1310455367.000000000892E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1318001972.000000000893E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1307739581.000000000892E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1312460362.000000000892E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1305236312.0000000008964000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0
Source: bcLKBiuPHu.exe, 00000003.00000003.1305121391.0000000008950000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1303734235.000000000892E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1305400557.0000000008952000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl
Source: bcLKBiuPHu.exe, 00000003.00000003.1305121391.0000000008950000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1305400557.0000000008976000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1305270796.0000000008975000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1303734235.000000000892E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1305236312.0000000008964000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0
Source: bcLKBiuPHu.exe, 00000003.00000003.1314340390.0000000006340000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1304077858.000000000633F000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1314498469.0000000006342000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.accv.es/legislacion_c.htm
Source: bcLKBiuPHu.exe, 00000003.00000003.1305121391.0000000008950000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1305400557.0000000008976000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1305270796.0000000008975000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1303734235.000000000892E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1305236312.0000000008964000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.accv.es/legislacion_c.htm0U
Source: bcLKBiuPHu.exe, 00000003.00000003.1314340390.0000000006340000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1305121391.0000000008950000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1305400557.0000000008976000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1305270796.0000000008975000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1303734235.000000000892E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1304077858.000000000633F000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1314498469.0000000006342000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1305236312.0000000008964000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.accv.es00
Source: bcLKBiuPHu.exe, 00000003.00000001.1254475437.000000000191D000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: bcLKBiuPHu.exe, 00000000.00000002.1333966196.0000000001257000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000002.1324019828.0000000001257000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://www.avast.com0/
Source: bcLKBiuPHu.exe, 00000003.00000003.1307000166.00000000063BD000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1314036451.00000000063BD000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000002.1331009143.00000000062C0000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1314993847.00000000063BD000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1306567487.00000000063BA000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1303394012.0000000006396000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1315774434.00000000063BD000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1303634656.00000000063B2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.cert.fnmt.es/dpcs/
Source: bcLKBiuPHu.exe, 00000003.00000003.1307000166.00000000063BD000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1314036451.00000000063BD000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1314993847.00000000063BD000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1306567487.00000000063BA000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1303394012.0000000006396000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1315774434.00000000063BD000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1303634656.00000000063B2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.cert.fnmt.es/dpcs/..m
Source: bcLKBiuPHu.exe, 00000003.00000003.1303394012.000000000637C000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1311527971.000000000637D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.cert.fnmt.es/dpcs/0
Source: bcLKBiuPHu.exe, 00000003.00000002.1331009143.00000000062C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.cert.fnmt.es/dpcs/j
Source: bcLKBiuPHu.exe, 00000003.00000003.1264200321.0000000008407000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1264170550.00000000083FE000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1264268695.0000000008417000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.cl.cam.ac.uk/~mgk25/iso-time.html
Source: bcLKBiuPHu.exe, 00000000.00000003.1244326319.000000000642E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1238533849.000000000642C000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000002.1333966196.0000000001257000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1242027207.000000000642E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1239275348.000000000642C000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1242754558.000000000642E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1238747954.000000000642C000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1241117223.000000000642E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1244614120.000000000642E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1239360047.000000000642C000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1238964960.000000000642C000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1241117223.0000000006438000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1239142078.000000000642C000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000000.00000003.1239459058.000000000642C000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000002.1324019828.0000000001257000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://www.digicert.com/CPS0
Source: bcLKBiuPHu.exe, 00000003.00000003.1305121391.0000000008950000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1307646693.0000000006368000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1303734235.000000000892E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1310335538.000000000845F000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1307408360.000000000635A000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1304077858.000000000633F000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1309077803.0000000006374000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1309941254.0000000008455000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1307501288.0000000008412000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1305400557.0000000008952000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.firmaprofesional.com/cps0
Source: bcLKBiuPHu.exe, 00000000.00000002.1333966196.0000000001257000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000002.1324019828.0000000001257000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://www.gimp.org/xmp/
Source: bcLKBiuPHu.exe, 00000000.00000000.1233156408.0000000000C59000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000000.1252684085.0000000000C59000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web
Source: bcLKBiuPHu.exe, 00000000.00000000.1233156408.0000000000C59000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000000.1252684085.0000000000C59000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=webreferrerEvalError
Source: bcLKBiuPHu.exe, 00000003.00000003.1312262000.0000000008444000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1267331033.0000000008442000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1311142703.0000000008443000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1266939290.0000000008409000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1308057936.0000000008423000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1309911651.0000000008426000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1266879732.0000000008476000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1313158498.0000000008446000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1310049376.000000000842A000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1310419450.0000000008430000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1307501288.0000000008412000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1266939290.0000000008442000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
Source: bcLKBiuPHu.exe, 00000003.00000003.1264200321.0000000008407000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1264170550.00000000083FE000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1264268695.0000000008417000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1264141063.000000000844C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.iana.org/time-zones/repository/tz-link.html
Source: bcLKBiuPHu.exe, 00000003.00000003.1264200321.0000000008407000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1264170550.00000000083FE000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1264268695.0000000008417000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.phys.uu.nl/~vgent/calendar/isocalendar.htm
Source: bcLKBiuPHu.exe, 00000003.00000003.1305121391.0000000008950000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1303734235.000000000892E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.quovadisglobal.com/cps
Source: bcLKBiuPHu.exe, 00000003.00000003.1305121391.0000000008950000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1303734235.000000000892E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: bcLKBiuPHu.exe, 00000003.00000003.1268981543.00000000088DA000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1311571579.0000000008888000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1269519670.0000000008881000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1269708691.00000000088DA000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1306494799.0000000008886000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://wwwsearch.sf.net/):
Source: bcLKBiuPHu.exe, 00000000.00000002.1333966196.0000000001BF6000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000002.1324019828.0000000001BF6000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://ccleaner.com/go/app_cc_acknowledgements
Source: bcLKBiuPHu.exe, 00000000.00000002.1333966196.0000000001BF6000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000002.1324019828.0000000001BF6000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://ccleaner.com/go/app_cc_license_agreement
Source: bcLKBiuPHu.exe, 00000000.00000002.1333966196.0000000001BF6000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000002.1324019828.0000000001BF6000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://ccleaner.com/go/app_cc_privacy_data_factsheet
Source: bcLKBiuPHu.exe, 00000000.00000002.1333966196.0000000001BF6000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000002.1324019828.0000000001BF6000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://ccleaner.com/go/app_cc_privacy_policy
Source: bcLKBiuPHu.exe, 00000000.00000002.1333966196.0000000001BF6000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000002.1324019828.0000000001BF6000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://ccleaner.com/go/app_cc_privacy_product_policy
Source: bcLKBiuPHu.exe, 00000003.00000003.1266222192.0000000008427000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1266292775.000000000843B000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1264883779.000000000844C000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1265498656.000000000844C000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1267331033.0000000008442000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1310915948.000000000846C000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1266181163.000000000844C000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1264268695.000000000844C000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1263807175.000000000844C000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1263690548.0000000008465000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1266668965.0000000008442000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1310705885.0000000008469000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1265249028.000000000844C000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1263965510.0000000008462000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1264392476.000000000844C000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1313190548.000000000846D000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1264141063.000000000844C000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1264244013.0000000008468000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1266378398.0000000008427000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1266802322.0000000008443000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1313374138.000000000846F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64
Source: bcLKBiuPHu.exe, 00000003.00000002.1332779998.00000000084D0000.00000004.00001000.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000002.1331206241.0000000006312000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1313922728.0000000006310000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1307096445.00000000062FF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/BrowserCompanyLLC/-12/releases/download/semtag/Cloud.bat
Source: bcLKBiuPHu.exe, 00000003.00000003.1311571579.0000000008888000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1269519670.0000000008881000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1268766598.0000000008878000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1306494799.0000000008886000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1268832518.0000000008883000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/Ousret/charset_normalizer
Source: bcLKBiuPHu.exe, 00000003.00000003.1314520975.0000000006311000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000002.1331206241.0000000006312000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1255437380.0000000006332000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1313922728.0000000006310000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1307096445.00000000062FF000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1255454545.0000000006327000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
Source: bcLKBiuPHu.exe, 00000003.00000002.1331983819.0000000008110000.00000004.00001000.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1255437380.0000000006332000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1255454545.0000000006327000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
Source: bcLKBiuPHu.exe, 00000003.00000003.1255454545.0000000006327000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
Source: bcLKBiuPHu.exe, 00000003.00000003.1314520975.0000000006311000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000002.1331206241.0000000006312000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1255437380.0000000006332000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1313922728.0000000006310000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1307096445.00000000062FF000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1255454545.0000000006327000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
Source: bcLKBiuPHu.exe, 00000003.00000003.1268439386.0000000006397000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1306810010.0000000006396000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1269165843.0000000006397000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1260159474.0000000006349000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1260234135.0000000006362000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1308557594.00000000063A9000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1260328318.000000000844E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1260607479.0000000006397000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1307264135.00000000063A7000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1311250835.00000000063A9000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1309138216.00000000063A9000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1260038704.000000000844C000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1307149151.0000000006396000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1260181354.000000000844C000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1260905580.0000000006397000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1262187965.0000000006397000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1303394012.0000000006396000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1267244395.0000000006397000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/python/cpython/issues/86361.
Source: bcLKBiuPHu.exe, 00000003.00000003.1314520975.0000000006311000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000002.1331206241.0000000006312000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1255437380.0000000006332000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1313922728.0000000006310000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1307096445.00000000062FF000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1255454545.0000000006327000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
Source: bcLKBiuPHu.exe, 00000003.00000003.1306937644.0000000008862000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1307892105.0000000008863000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1308932104.0000000008868000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.
Source: bcLKBiuPHu.exe, 00000003.00000003.1314834806.0000000008790000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://github.com/urllib3/urllib3/issues/2920
Source: bcLKBiuPHu.exe, 00000003.00000003.1311571579.0000000008888000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1310362216.0000000008858000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1269519670.0000000008881000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1309864755.0000000008854000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1268766598.0000000008878000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1306494799.0000000008886000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1307892105.0000000008851000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1268832518.0000000008883000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://google.com/
Source: bcLKBiuPHu.exe, 00000003.00000003.1310362216.0000000008858000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1309864755.0000000008854000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1307892105.0000000008851000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://google.com/mail
Source: bcLKBiuPHu.exe, 00000003.00000002.1332191108.00000000083F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://google.com/mail/
Source: bcLKBiuPHu.exe, 00000003.00000003.1313703072.000000000885B000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1309864755.000000000885B000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1309546342.000000000885A000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1307892105.0000000008851000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://html.spec.whatwg.org/multipage/
Source: bcLKBiuPHu.exe, 00000003.00000003.1268832518.0000000008883000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://httpbin.org/
Source: bcLKBiuPHu.exe, 00000003.00000003.1277856120.00000000088D0000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1307892105.0000000008863000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1278810039.00000000088A2000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1306379297.00000000088E2000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1308932104.0000000008868000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://httpbin.org/get
Source: bcLKBiuPHu.exe, 00000003.00000003.1314340390.0000000006340000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1314567086.0000000006345000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1304077858.000000000633F000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1314498469.0000000006342000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://httpbin.org/post
Source: bcLKBiuPHu.exe, 00000003.00000003.1308107530.0000000008861000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://json.org
Source: bcLKBiuPHu.exe, 00000003.00000003.1270776760.000000000638A000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1306477150.00000000084BF000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1270153053.00000000088FC000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1270521497.00000000088F1000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1270746328.00000000088FF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://mahler:8092/site-updates.py
Source: bcLKBiuPHu.exe, 00000003.00000003.1259593796.0000000006361000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1259432613.0000000006361000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000002.1332931547.0000000008550000.00000004.00001000.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1259508438.000000000635F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://peps.python.org/pep-0205/
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.000000000191D000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000000.00000000.1233156408.000000000191D000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000002.1324019828.000000000191D000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.000000000191D000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://piriform.zendesk.com/hc/en-us/articles/204043884-Using-CCleaner-s-Drive-Wiper
Source: bcLKBiuPHu.exe, 00000003.00000001.1254475437.000000000191D000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://piriform.zendesk.com/hc/en-us/articles/218109957-How-do-I-manage-browser-plugins-
Source: bcLKBiuPHu.exe, 00000003.00000003.1314340390.0000000006340000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1314567086.0000000006345000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1304077858.000000000633F000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1314498469.0000000006342000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1277856120.00000000088D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://requests.readthedocs.io
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.000000000191D000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000000.00000002.1333966196.0000000001257000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000000.00000000.1233156408.000000000191D000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000002.1324019828.000000000191D000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.000000000191D000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000002.1324019828.0000000001257000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://sciter.com/forums/topic/plus-custom-output-formatter-wont-work-if-they-are-written-in-htm/#p
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.000000000191D000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000000.00000000.1233156408.000000000191D000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000002.1324019828.000000000191D000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.000000000191D000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://secure.ccleaner.com/502/uurl-90zu4qtn5p?
Source: bcLKBiuPHu.exe, 00000000.00000002.1333966196.0000000001BF6000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000002.1324019828.0000000001BF6000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://secure.ccleaner.com/502/uurl-90zu4qtn5p?x-source=833
Source: bcLKBiuPHu.exe, 00000003.00000003.1310362216.0000000008858000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1309864755.0000000008854000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1307892105.0000000008851000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tools.ietf.org/html/rfc2388#section-4.4
Source: bcLKBiuPHu.exe, 00000003.00000003.1311571579.0000000008888000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1269519670.0000000008881000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1268766598.0000000008878000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1306494799.0000000008886000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1268832518.0000000008883000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://twitter.com/
Source: bcLKBiuPHu.exe, 00000003.00000003.1314834806.0000000008790000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.apple.com/appleca/0
Source: bcLKBiuPHu.exe, 00000003.00000001.1254475437.000000000191D000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.avast.com/lp-ppc-nbu-fav-cc
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.000000000191D000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000000.00000000.1233156408.000000000191D000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000002.1324019828.000000000191D000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.000000000191D000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.ccleaner.com/business
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.000000000191D000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000000.00000000.1233156408.000000000191D000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000002.1324019828.000000000191D000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.000000000191D000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.ccleaner.com/business/ccleaner-business-edition
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.000000000191D000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000000.00000000.1233156408.000000000191D000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000002.1324019828.000000000191D000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.000000000191D000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.ccleaner.com/ccleaner
Source: bcLKBiuPHu.exe, 00000000.00000002.1333966196.0000000001BF6000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000002.1324019828.0000000001BF6000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.ccleaner.com/ccleaner/browser
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.000000000191D000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000000.00000000.1233156408.000000000191D000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000002.1324019828.000000000191D000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.000000000191D000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.ccleaner.com/docs/ccleaner/ccleaner-settings/choosing-which-cookies-to-keep
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.000000000191D000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000000.00000000.1233156408.000000000191D000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000002.1324019828.000000000191D000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.000000000191D000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.ccleaner.com/docs/ccleaner/using-ccleaner/browser-cleaning
Source: bcLKBiuPHu.exe, 00000003.00000001.1254475437.000000000191D000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.ccleaner.com/docs/ccleaner/using-ccleaner/managing-auto-starting-programs
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.000000000191D000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000000.00000000.1233156408.000000000191D000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000002.1324019828.000000000191D000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.000000000191D000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.ccleaner.com/docs/ccleaner/using-ccleaner/uninstalling-programs
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.000000000191D000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000000.00000000.1233156408.000000000191D000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000002.1324019828.000000000191D000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.000000000191D000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.ccleaner.com/go/app_cc_help_performance_optimizer
Source: bcLKBiuPHu.exe, 00000000.00000002.1333966196.0000000001BF6000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000002.1324019828.0000000001BF6000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.ccleaner.com/go/app_cc_help_preloading
Source: bcLKBiuPHu.exe, 00000000.00000002.1333966196.0000000001BF6000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000002.1324019828.0000000001BF6000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.ccleaner.com/go/app_cc_help_schedule_setup?utm_source=ccleaner&utm_medium=application&ut
Source: bcLKBiuPHu.exe, 00000000.00000002.1333966196.0000000001BF6000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000002.1324019828.0000000001BF6000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.ccleaner.com/go/app_deactivated_help
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.000000000191D000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000000.00000002.1333966196.0000000001BF6000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000000.00000000.1233156408.000000000191D000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000002.1324019828.000000000191D000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.000000000191D000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000002.1324019828.0000000001BF6000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.ccleaner.com/go/app_du_support
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.000000000191D000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000000.00000000.1233156408.000000000191D000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000002.1324019828.000000000191D000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.000000000191D000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.ccleaner.com/go/app_du_survey
Source: bcLKBiuPHu.exe, 00000000.00000002.1333966196.0000000001BF6000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000002.1324019828.0000000001BF6000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.ccleaner.com/go/app_du_systemprotection
Source: bcLKBiuPHu.exe, 00000000.00000002.1333966196.0000000001BF6000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000002.1324019828.0000000001BF6000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.ccleaner.com/go/app_du_systemrestoreinfo
Source: bcLKBiuPHu.exe, 00000000.00000002.1333966196.0000000001BF6000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000002.1324019828.0000000001BF6000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.ccleaner.com/go/app_no_license_error
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.000000000191D000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000000.00000000.1233156408.000000000191D000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000002.1324019828.000000000191D000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.000000000191D000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.ccleaner.com/go/app_po_survey
Source: bcLKBiuPHu.exe, 00000000.00000003.1242027207.000000000642E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.openssl.org/H
Source: bcLKBiuPHu.exe, 00000003.00000003.1314340390.0000000006340000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1314567086.0000000006345000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1304077858.000000000633F000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1314498469.0000000006342000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.python.org
Source: bcLKBiuPHu.exe, 00000003.00000003.1270776760.000000000638A000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1306477150.00000000084BF000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1270153053.00000000088FC000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1270521497.00000000088F1000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1270746328.00000000088FF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.python.org/
Source: bcLKBiuPHu.exe, 00000003.00000003.1256438125.0000000006349000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1256524327.00000000083D7000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000002.1332883011.0000000008510000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.python.org/download/releases/2.3/mro/.
Source: bcLKBiuPHu.exe, 00000003.00000003.1305121391.0000000008950000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1306268970.0000000008991000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1305400557.0000000008982000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1305605705.0000000008982000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1305270796.0000000008975000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1315693300.0000000008999000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1303734235.000000000892E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1305655841.0000000008986000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1317685409.0000000008999000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1305849534.0000000008990000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1305302869.0000000008981000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1305820390.000000000898D000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1305236312.0000000008964000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://wwww.certigna.fr/autorites/
Source: bcLKBiuPHu.exe, 00000003.00000003.1305121391.0000000008950000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1305378289.00000000089A5000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1305270796.0000000008975000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1303734235.000000000892E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1305543531.00000000089A6000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1305302869.0000000008981000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1305236312.0000000008964000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://wwww.certigna.fr/autorites/0m
Source: bcLKBiuPHu.exe, 00000003.00000003.1305121391.0000000008950000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1306268970.0000000008991000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1305400557.0000000008982000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1305605705.0000000008982000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1305270796.0000000008975000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1315693300.0000000008999000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1303734235.000000000892E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1305655841.0000000008986000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1317685409.0000000008999000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1305849534.0000000008990000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1305302869.0000000008981000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1305820390.000000000898D000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1305236312.0000000008964000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://wwww.certigna.fr/autorites/r
Source: bcLKBiuPHu.exe, 00000003.00000003.1310362216.0000000008858000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1309864755.0000000008854000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1307892105.0000000008851000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://yahoo.com/
Source: unknown Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49703
Installs a raw input device (often for capturing keystrokes)
Source: bcLKBiuPHu.exe, 00000000.00000000.1233156408.0000000000C59000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: GetRawInputData memstr_8bc9f796-8
PE file contains executable resources (Code or Archives)
Source: bcLKBiuPHu.exe Static PE information: Resource name: BINARY type: PE32+ executable (DLL) (console) x86-64, for MS Windows
Source: bcLKBiuPHu.exe Static PE information: Resource name: BINARY type: PE32+ executable (DLL) (console) x86-64, for MS Windows
Source: bcLKBiuPHu.exe Static PE information: Resource name: BRANDING type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Source: bcLKBiuPHu.exe Static PE information: Resource name: FILE type: PE32+ executable (DLL) (console) x86-64, for MS Windows
Source: unicodedata.pyd.0.dr Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Sample file is different than original file name gathered from version info
Source: bcLKBiuPHu.exe, 00000000.00000003.1244326319.000000000642E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameselect.pyd. vs bcLKBiuPHu.exe
Source: bcLKBiuPHu.exe, 00000000.00000003.1238533849.000000000642C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_bz2.pyd. vs bcLKBiuPHu.exe
Source: bcLKBiuPHu.exe, 00000000.00000000.1233156408.0000000001254000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameMsMpEngCP.exeZ vs bcLKBiuPHu.exe
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilename vs bcLKBiuPHu.exe
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: \Unknown member: doshdr.%spevars not availableUnknown member: pehdr.%sInvalid index in DataDirectory: %dInvalid index in opclog: %dInvalid index in fopclog2: %dInvalid index in epcode: %dInvalid index in fopclog: %dUnknown member: peattributes.%sInvalid section %d or bigger than NumberOfSection=%d!__mmap_ex() failedpe_fofs_to_mofs failed!__mmap_ex(%d) failedmmap_patch(): buffer is emptymmap_patch_buff() failedpe_mofs_to_fofs(%d) failedUfsSeekRead(%d) failedImageName is NULLStringCchCopyA failedFileDescriptionInternalNameCompanyNamepe.get_versioninfo() failed to create the StringVersionIterator: %sInvalid sigattr_head indexpe.vm_search: mask_size != buffer_sizeInvalid index in netmetadata.tokens: %dpe.get_fixedversioninfo() failed to create the StringVersionIterator: %sFileVersionFileTypeFileSubtypeFileDateOriginalFilenameProductVersionFileFlagsMaskFileFlagsFileOSpe.metadata_decode: decode failed for 0x%xInvalid index in v->imps: %dfnrvape.metadata_decode: Invalid field index %d (should be 1-based)9m vs bcLKBiuPHu.exe
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: ClearOriginalFileName vs bcLKBiuPHu.exe
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: $OFNAllowIdenticalNamesClearOriginalFileName vs bcLKBiuPHu.exe
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: mZOriginalFileNameMaintenanceWindow vs bcLKBiuPHu.exe
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: mZOriginalFileNameMaintenanceWindowprocessed%zd files in Moac, %zd skipped (cached), %zd filename setOriginalFileName Maintenance:HintENG:OFNPROCESSED:) vs bcLKBiuPHu.exe
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: .?AVCMaintenanceOriginalFileNameTask@@ vs bcLKBiuPHu.exe
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameBTR.sysZ vs bcLKBiuPHu.exe
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameoffreg.dllj% vs bcLKBiuPHu.exe
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameKSLDriver.sysZ vs bcLKBiuPHu.exe
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameKSLD.sysZ vs bcLKBiuPHu.exe
Source: bcLKBiuPHu.exe, 00000000.00000000.1233156408.0000000000C59000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: GetOriginalFileName vs bcLKBiuPHu.exe
Source: bcLKBiuPHu.exe, 00000000.00000000.1233156408.0000000000C59000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: SetOriginalFileName vs bcLKBiuPHu.exe
Source: bcLKBiuPHu.exe, 00000000.00000000.1233156408.0000000000C59000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: ENG:OFNSET:SetOriginalFileNameProcess:process:// vs bcLKBiuPHu.exe
Source: bcLKBiuPHu.exe, 00000000.00000000.1233156408.0000000000C59000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFileName vs bcLKBiuPHu.exe
Source: bcLKBiuPHu.exe, 00000000.00000000.1233156408.0000000000C59000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFileNameCreatorProcessId<Process ProcessId="%u" ProcessCreationTime="%llu" CreatorProcessId="%u" CreatorProcessCreationTime="%llu" Name="%s" IsExcluded="%u" IsFriendly="%u"> vs bcLKBiuPHu.exe
Source: bcLKBiuPHu.exe, 00000000.00000000.1233156408.0000000000C59000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: SecondParameterBM_RegistryKeyDeleteBM_RegistryKeyRenameBM_RegistryDeleteValueBM_RegistrySetValueBM_OpenFileBM_DeleteFileBM_RegistryKeyCreateBM_FileMetaDataBM_ProcessCreateBM_RawWriteBM_NetworkDetectionBM_ProcessStartBM_NetworkDataSendBM_NetworkConnectBM_RemoteThreadCreateBM_BootSectorChangeBM_Etw_PsSetLoadImageNotifyRoutineBM_EngineInternalBM_Etw_SetEventHookBM_Etw_TerminateProcessBM_ModuleLoadBM_ArDetectionBM_RegistryBlockDeleteBM_RegistryBlockSetBM_Etw_OpenThreadBM_Etw_OpenProcessBM_Etw_RegisterShutdownBM_Etw_RegisterLastShutdownBM_Etw_NtAdjustPrivilegesBM_Etw_RegisterInputDevicesBM_Etw_WriteMemoryBM_Etw_SetThreadContextBM_RegistryBlockReplaceBM_RegistryBlockRestoreBM_DesktopBM_VolumeMountBM_RegistryRestoreBM_Etw_CreateLinkBM_RegistryBlockRenameBM_RegistryReplaceBM_Etw_SetWindowsHookBM_Etw_BlockExploitBM_CreateFolderBM_Etw_GetAsyncKeyStateBM_BlockOpenProcessBM_OpenProcessBM_Etw_CodeInjectionBM_RegistryBlockCreateBM_EnumFolderBM_Etw_WMIExecMethodBM_Etw_OCTAGON_PROCESS_TOKEN_TAMPERING_ENFORCEBM_RenameFolderBM_Etw_DirEnumBM_Etw_AllocVmLocalBM_Etw_WMIActivityNewBM_Etw_ClearLogBM_Etw_OCTAGON_DANGEROUS_DEVICE_PRESENT_AUDITBM_Etw_OCTAGON_DRIVER_DISPATCH_REDIRECTION_AUDITBM_HardLinkFileBM_Etw_OCTAGON_RUNTIME_CI_FAILURE_AUDITBM_Etw_OCTAGON_DANGEROUS_DEVICE_PRESENT_ENFORCEBM_Etw_OCTAGON_DRIVER_DISPATCH_REDIRECTION_ENFORCEBM_Etw_OCTAGON_PROCESS_TOKEN_TAMPERING_AUDITBM_Etw_OCTAGON_RUNTIME_CI_FAILURE_ENFORCEBM_Etw_CredEnumerateBM_Etw_CredReadCredentialsBM_Etw_CredFindBestCredentialBM_Etw_CredReadDomainCredentialsBM_DLPBM_CopyFileBM_Etw_OCTAGON_PROCESS_TAMPERING_AUDITBM_Etw_OCTAGON_PROCESS_TAMPERING_ENFORCEBM_TaintBM_Etw_VaultGetUniqueCredentialBM_Amsi_MatchBM_Amsi_ScanBM_Etw_CredBackupCredentialsBM_Etw_CredReadByTokenHandleBM_Etw_VaultEnumerateCredentialsBM_Etw_VaultFindCredentialsBM_Etw_LogonFailureBM_Etw_LogonSuccessBM_Etw_AccountPasswordChangedBM_Etw_UserAccountChangedBM_Etw_BITSCreateBM_Etw_LDAPSearchBM_Etw_ScheduledTaskUpdateBM_Etw_ScheduledTaskCreateBM_Etw_ExploitProtectionBM_Etw_UserAccountCreatedBM_Network_VolumeBM_Network_PortOpenBM_Etw_HiveHistoryClearBM_Etw_AccountPasswordResetBM_SignatureTriggerBM_OriginalFileNameBM_Etw_UnloadDriverBM_Etw_LoadDriverBM_Etw_UnloadDeviceBM_Etw_LoadDeviceBM_Etw_ResumeThreadBM_Etw_SuspendThreadBM_Etw_ResumeProcessBM_Etw_SuspendProcessBM_Etw_ServiceHostStartedBM_Etw_ServiceChangeAccountInfoBM_Network_FailureBM_Etw_ServiceStartedBM_Etw_ServiceStopBM_Etw_ProtectVmLocalBM_Etw_ServiceChangeBinaryPathBM_Etw_ServiceChangeStartTypeAL""L"%ls""%hS"BM_Etw_AllocVmRemoteBM_Etw_ProtectVmRemoteBM_Etw_V2CodeInjectionBM_Etw_ReadVmRemoteATTR_%08lxSigSeqThreatName{0, %ls, __attr_none__, %ls, %ls}0x%lXError while processing Event, i.e you're missing an event.Error while processing Event: ID = [%d], HR = [%lx]IsPePlusIsPeFileInfoIsPacked vs bcLKBiuPHu.exe
Source: bcLKBiuPHu.exe, 00000000.00000000.1233156408.0000000000C59000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameCompanyNameCommentsLegalCopyrightProductNameFileDescriptionLegalTrademarksPeStaticCRC3LengthCRC1IatSkipCRC3CRC2CopyrightCommentsArchitectureTrademarksFileVersionPeStaticsEpSecSectionKCRC2KCRC1KCRC3InternalNameFileDescriptionOriginalFileNamePEUnknownx86ia64x64 vs bcLKBiuPHu.exe
Source: bcLKBiuPHu.exe, 00000000.00000002.1333966196.0000000001257000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameMsMpEngSvc.dllZ vs bcLKBiuPHu.exe
Source: bcLKBiuPHu.exe, 00000000.00000002.1333966196.0000000001257000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamempengine.dllZ vs bcLKBiuPHu.exe
Source: bcLKBiuPHu.exe, 00000000.00000002.1333966196.0000000001257000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameMpGear.dllZ vs bcLKBiuPHu.exe
Source: bcLKBiuPHu.exe, 00000000.00000002.1333966196.0000000001257000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamebranding.dll\ vs bcLKBiuPHu.exe
Source: bcLKBiuPHu.exe, 00000000.00000003.1242027207.000000000642E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamelibsslH vs bcLKBiuPHu.exe
Source: bcLKBiuPHu.exe, 00000000.00000003.1239275348.000000000642C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_queue.pyd. vs bcLKBiuPHu.exe
Source: bcLKBiuPHu.exe, 00000000.00000003.1238747954.000000000642C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_decimal.pyd. vs bcLKBiuPHu.exe
Source: bcLKBiuPHu.exe, 00000000.00000003.1244614120.000000000642E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameunicodedata.pyd. vs bcLKBiuPHu.exe
Source: bcLKBiuPHu.exe, 00000000.00000003.1239360047.000000000642C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_socket.pyd. vs bcLKBiuPHu.exe
Source: bcLKBiuPHu.exe, 00000000.00000003.1238964960.000000000642C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_hashlib.pyd. vs bcLKBiuPHu.exe
Source: bcLKBiuPHu.exe, 00000000.00000003.1237480769.000000000642C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamevcruntime140.dllT vs bcLKBiuPHu.exe
Source: bcLKBiuPHu.exe, 00000000.00000003.1239142078.000000000642C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_lzma.pyd. vs bcLKBiuPHu.exe
Source: bcLKBiuPHu.exe, 00000000.00000003.1239459058.000000000642C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_ssl.pyd. vs bcLKBiuPHu.exe
Source: bcLKBiuPHu.exe, 00000003.00000000.1252684085.0000000000C59000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: GetOriginalFileName vs bcLKBiuPHu.exe
Source: bcLKBiuPHu.exe, 00000003.00000000.1252684085.0000000000C59000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: SetOriginalFileName vs bcLKBiuPHu.exe
Source: bcLKBiuPHu.exe, 00000003.00000000.1252684085.0000000000C59000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: ENG:OFNSET:SetOriginalFileNameProcess:process:// vs bcLKBiuPHu.exe
Source: bcLKBiuPHu.exe, 00000003.00000000.1252684085.0000000000C59000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFileName vs bcLKBiuPHu.exe
Source: bcLKBiuPHu.exe, 00000003.00000000.1252684085.0000000000C59000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFileNameCreatorProcessId<Process ProcessId="%u" ProcessCreationTime="%llu" CreatorProcessId="%u" CreatorProcessCreationTime="%llu" Name="%s" IsExcluded="%u" IsFriendly="%u"> vs bcLKBiuPHu.exe
Source: bcLKBiuPHu.exe, 00000003.00000000.1252684085.0000000000C59000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: SecondParameterBM_RegistryKeyDeleteBM_RegistryKeyRenameBM_RegistryDeleteValueBM_RegistrySetValueBM_OpenFileBM_DeleteFileBM_RegistryKeyCreateBM_FileMetaDataBM_ProcessCreateBM_RawWriteBM_NetworkDetectionBM_ProcessStartBM_NetworkDataSendBM_NetworkConnectBM_RemoteThreadCreateBM_BootSectorChangeBM_Etw_PsSetLoadImageNotifyRoutineBM_EngineInternalBM_Etw_SetEventHookBM_Etw_TerminateProcessBM_ModuleLoadBM_ArDetectionBM_RegistryBlockDeleteBM_RegistryBlockSetBM_Etw_OpenThreadBM_Etw_OpenProcessBM_Etw_RegisterShutdownBM_Etw_RegisterLastShutdownBM_Etw_NtAdjustPrivilegesBM_Etw_RegisterInputDevicesBM_Etw_WriteMemoryBM_Etw_SetThreadContextBM_RegistryBlockReplaceBM_RegistryBlockRestoreBM_DesktopBM_VolumeMountBM_RegistryRestoreBM_Etw_CreateLinkBM_RegistryBlockRenameBM_RegistryReplaceBM_Etw_SetWindowsHookBM_Etw_BlockExploitBM_CreateFolderBM_Etw_GetAsyncKeyStateBM_BlockOpenProcessBM_OpenProcessBM_Etw_CodeInjectionBM_RegistryBlockCreateBM_EnumFolderBM_Etw_WMIExecMethodBM_Etw_OCTAGON_PROCESS_TOKEN_TAMPERING_ENFORCEBM_RenameFolderBM_Etw_DirEnumBM_Etw_AllocVmLocalBM_Etw_WMIActivityNewBM_Etw_ClearLogBM_Etw_OCTAGON_DANGEROUS_DEVICE_PRESENT_AUDITBM_Etw_OCTAGON_DRIVER_DISPATCH_REDIRECTION_AUDITBM_HardLinkFileBM_Etw_OCTAGON_RUNTIME_CI_FAILURE_AUDITBM_Etw_OCTAGON_DANGEROUS_DEVICE_PRESENT_ENFORCEBM_Etw_OCTAGON_DRIVER_DISPATCH_REDIRECTION_ENFORCEBM_Etw_OCTAGON_PROCESS_TOKEN_TAMPERING_AUDITBM_Etw_OCTAGON_RUNTIME_CI_FAILURE_ENFORCEBM_Etw_CredEnumerateBM_Etw_CredReadCredentialsBM_Etw_CredFindBestCredentialBM_Etw_CredReadDomainCredentialsBM_DLPBM_CopyFileBM_Etw_OCTAGON_PROCESS_TAMPERING_AUDITBM_Etw_OCTAGON_PROCESS_TAMPERING_ENFORCEBM_TaintBM_Etw_VaultGetUniqueCredentialBM_Amsi_MatchBM_Amsi_ScanBM_Etw_CredBackupCredentialsBM_Etw_CredReadByTokenHandleBM_Etw_VaultEnumerateCredentialsBM_Etw_VaultFindCredentialsBM_Etw_LogonFailureBM_Etw_LogonSuccessBM_Etw_AccountPasswordChangedBM_Etw_UserAccountChangedBM_Etw_BITSCreateBM_Etw_LDAPSearchBM_Etw_ScheduledTaskUpdateBM_Etw_ScheduledTaskCreateBM_Etw_ExploitProtectionBM_Etw_UserAccountCreatedBM_Network_VolumeBM_Network_PortOpenBM_Etw_HiveHistoryClearBM_Etw_AccountPasswordResetBM_SignatureTriggerBM_OriginalFileNameBM_Etw_UnloadDriverBM_Etw_LoadDriverBM_Etw_UnloadDeviceBM_Etw_LoadDeviceBM_Etw_ResumeThreadBM_Etw_SuspendThreadBM_Etw_ResumeProcessBM_Etw_SuspendProcessBM_Etw_ServiceHostStartedBM_Etw_ServiceChangeAccountInfoBM_Network_FailureBM_Etw_ServiceStartedBM_Etw_ServiceStopBM_Etw_ProtectVmLocalBM_Etw_ServiceChangeBinaryPathBM_Etw_ServiceChangeStartTypeAL""L"%ls""%hS"BM_Etw_AllocVmRemoteBM_Etw_ProtectVmRemoteBM_Etw_V2CodeInjectionBM_Etw_ReadVmRemoteATTR_%08lxSigSeqThreatName{0, %ls, __attr_none__, %ls, %ls}0x%lXError while processing Event, i.e you're missing an event.Error while processing Event: ID = [%d], HR = [%lx]IsPePlusIsPeFileInfoIsPacked vs bcLKBiuPHu.exe
Source: bcLKBiuPHu.exe, 00000003.00000000.1252684085.0000000000C59000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameCompanyNameCommentsLegalCopyrightProductNameFileDescriptionLegalTrademarksPeStaticCRC3LengthCRC1IatSkipCRC3CRC2CopyrightCommentsArchitectureTrademarksFileVersionPeStaticsEpSecSectionKCRC2KCRC1KCRC3InternalNameFileDescriptionOriginalFileNamePEUnknownx86ia64x64 vs bcLKBiuPHu.exe
Source: bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilename vs bcLKBiuPHu.exe
Source: bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: \Unknown member: doshdr.%spevars not availableUnknown member: pehdr.%sInvalid index in DataDirectory: %dInvalid index in opclog: %dInvalid index in fopclog2: %dInvalid index in epcode: %dInvalid index in fopclog: %dUnknown member: peattributes.%sInvalid section %d or bigger than NumberOfSection=%d!__mmap_ex() failedpe_fofs_to_mofs failed!__mmap_ex(%d) failedmmap_patch(): buffer is emptymmap_patch_buff() failedpe_mofs_to_fofs(%d) failedUfsSeekRead(%d) failedImageName is NULLStringCchCopyA failedFileDescriptionInternalNameCompanyNamepe.get_versioninfo() failed to create the StringVersionIterator: %sInvalid sigattr_head indexpe.vm_search: mask_size != buffer_sizeInvalid index in netmetadata.tokens: %dpe.get_fixedversioninfo() failed to create the StringVersionIterator: %sFileVersionFileTypeFileSubtypeFileDateOriginalFilenameProductVersionFileFlagsMaskFileFlagsFileOSpe.metadata_decode: decode failed for 0x%xInvalid index in v->imps: %dfnrvape.metadata_decode: Invalid field index %d (should be 1-based)9m vs bcLKBiuPHu.exe
Source: bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: ClearOriginalFileName vs bcLKBiuPHu.exe
Source: bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: $OFNAllowIdenticalNamesClearOriginalFileName vs bcLKBiuPHu.exe
Source: bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: mZOriginalFileNameMaintenanceWindow vs bcLKBiuPHu.exe
Source: bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: mZOriginalFileNameMaintenanceWindowprocessed%zd files in Moac, %zd skipped (cached), %zd filename setOriginalFileName Maintenance:HintENG:OFNPROCESSED:) vs bcLKBiuPHu.exe
Source: bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: .?AVCMaintenanceOriginalFileNameTask@@ vs bcLKBiuPHu.exe
Source: bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameBTR.sysZ vs bcLKBiuPHu.exe
Source: bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameoffreg.dllj% vs bcLKBiuPHu.exe
Source: bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameKSLDriver.sysZ vs bcLKBiuPHu.exe
Source: bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameKSLD.sysZ vs bcLKBiuPHu.exe
Source: bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000001254000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameMsMpEngCP.exeZ vs bcLKBiuPHu.exe
Source: bcLKBiuPHu.exe, 00000003.00000002.1324019828.0000000001257000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameMsMpEngSvc.dllZ vs bcLKBiuPHu.exe
Source: bcLKBiuPHu.exe, 00000003.00000002.1324019828.0000000001257000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamempengine.dllZ vs bcLKBiuPHu.exe
Source: bcLKBiuPHu.exe, 00000003.00000002.1324019828.0000000001257000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameMpGear.dllZ vs bcLKBiuPHu.exe
Source: bcLKBiuPHu.exe, 00000003.00000002.1324019828.0000000001257000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamebranding.dll\ vs bcLKBiuPHu.exe
Uses 32bit PE files
Source: bcLKBiuPHu.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: classification engine Classification label: sus39.winEXE@4/19@1/1
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1228:120:WilError_03
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe File created: C:\Users\user~1\AppData\Local\Temp\_MEI63002 Jump to behavior
Source: bcLKBiuPHu.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: bcLKBiuPHu.exe, 00000000.00000000.1233156408.0000000000C59000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000000.1252684085.0000000000C59000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: SELECT 1 FROM SQLITE_MASTER WHERE type=? AND name=? LIMIT 1;
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: INSERT INTO FileLowFiAsync(Key, FileName, SigSeq, SigSha, SigIsSync, InstanceTimeStamp) VALUES(?, ? , ? , ? , ? , ?);
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: SELECT ID FROM ProcessBlockHistory WHERE ProcessPath = ?;
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: INSERT INTO AnomalyInfo(Key, UnbiasedTime) VALUES (?, ?);
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(13, 1, date('now'));
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: SELECT Count(1) FROM AutoFeatureControl;
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: SELECT DISTINCT TableName FROM AnomalyTables;
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: SELECT Key FROM FileHashes WHERE FileHashes.Key = ?;
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: SELECT Count(1) FROM RansomwareDetections;
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: UPDATE %Q.%s SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: SELECT Count(1) FROM NetworkIpFirewallRules;
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: INSERT INTO RollingQueuesValues(EntryTable, EntryKey, EntryValue, InsertTime, ExpireTime) VALUES(? , ? , ? , ? , ?);
Source: bcLKBiuPHu.exe, 00000000.00000000.1233156408.0000000000C59000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000000.1252684085.0000000000C59000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: SELECT Key, VSN, FileID, USN, InstanceTimeStamp, SHA1, MD5, SHA256, LSHASH, LSHASHS, CTPH, PartialCRC1, PartialCRC2, PartialCRC3, KCRC1, KCRC2, KCRC3, KCRC3n FROM FileHashes WHERE Key = ?;
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory WHERE ProcessPath = ? ORDER BY TimeStamp DESC;
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: SELECT COUNT(1) FROM FileLowFiAsync;
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: SELECT ID from RecordIdentifier WHERE Key = ? AND RecordTimeStamp = ? ;
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: SELECT Count(1) FROM SystemFileCache WHERE CleanFileShaHash = ?;
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(6, 1, date('now'));
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(14, 1, date('now'));
Source: bcLKBiuPHu.exe, 00000000.00000000.1233156408.0000000000C59000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000000.1252684085.0000000000C59000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: SELECT ID FROM DynSigRevisions WHERE DynSigRevisions.Key = ?;
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory WHERE ProcessPath = ? AND TimeStamp = ? ORDER BY TimeStamp DESC;
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory WHERE RuleId = ? ORDER BY TimeStamp DESC;
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(4, 1, date('now'));
Source: bcLKBiuPHu.exe, 00000000.00000000.1233156408.0000000000C59000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000000.1252684085.0000000000C59000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: SELECT Key, Name, Capacity, TimeToLive, Mode FROM RollingQueuesTables WHERE Key = ?;
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: INSERT INTO BmFileStartupActions(FilePathHash, FilePath, ActionFlags, ProcessStartCount, FdrFlags, FdrThreatRecordId, EvaluatorThreatRecordId, TrustedInstallerThreatRecordId, LFRThreatRecordId) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?);
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: INSERT INTO BmFileActions(FileInfoId, ThreatRecordId, Action) VALUES (?, ?, ?);
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(5, 1, date('now'));
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: SELECT Key, Name, Count, InsertTime, ExpireTime, UpdateTime, ScalarFactor, LinearFactor, DecayInterval, HighCount, LastDecayTime FROM AtomicCounters WHERE Key = ?;
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: SELECT ID FROM FolderGuardPaths WHERE UserIdHash = ? LIMIT 1;
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: INSERT INTO RansomwareDetections(Key, DetectionGuid, LkgTS, NextUSN, DetectionTS, ProvisionalRemedComplTS, RemedComplTS, ImpactedCBPNameSpaces, InstanceTimeStamp) VALUES ( ?, ?, ?, ?, ?, ?, ?, ?, ?);
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(12, 1, date('now'));
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: SELECT CleanFileSha, CleanFileShaHash FROM SystemFileCache WHERE InstanceTimeStamp < ?;
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: SELECT PersistId, PersistIdBlob, ExpirationDate FROM AmsiFileCache WHERE ExpirationDate < DateTime(?);
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: INSERT INTO DynSigRevisions(Key, SdnRevision, EsuRevision, BFRevision, EntCertRevision, TamperRevision, AGBlobRevision, BFFileAllowRevision, BFFileBlockRevision, BFCertAllowRevision, BFCertBlockRevision) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?);
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: SELECT Key, RecordTimeStamp, Generation FROM RecordIdentifier WHERE RecordIdentifier.ID IN (SELECT FileInstance.RecordID from FileInstance WHERE FileInstance.ParentRecordID = ? );
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: SELECT RuleAction, RuleId, IsAudit, IsInherited, State FROM BmHipsRuleInfo WHERE ProcessInfoId = ?;
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: SELECT Key, FirewallRuleName, ExpiryTime FROM NetworkIpFirewallRules WHERE ExpiryTime < ?;
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: SELECT Count(1) FROM SystemFileCache;
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory WHERE ProcessPath = ? ORDER BY TimeStamp DESC LIMIT 1;
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: INSERT INTO BmFileInfo(NormalizedPathHash, DosPathHash, StructVersion, NormalizedPath, DosPath, Wow64Context, MetaContext, IsFromWeb, IsExecutable) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?);
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: SELECT Count(1) FROM SdnEx;
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(3, 1, date('now'));
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: INSERT INTO FileInstance(InstanceTimeStamp, RecordID, ScanID, TrackingEnabled, StorageEvent, StorageEventState, ModificationsCount, ParentRecordID, Parent_FileEvent, Parent_FileName, Parent_ProcessID, Remote_ProcessID, FileID, FileName, USN, CreateTime, LastAccessTime, LastWriteTime, Signer, SignerHash, Issuer, SigningTime, MOTW, MOTWFromParent,IsValidCert, CertInvalidDetails, IsCatalogSigned) VALUES(?, ? , ?, ?, ?, ? , ? , ? , ? , ? , ?, ?, ?, ?, ?, ? , ? , ? , ? , ? , ?, ?, ?, ?, ?, ?, ?);
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: SELECT EntryTable, EntryKey, EntryValue, InsertTime, ExpireTime FROM RollingQueuesValues WHERE EntryTable = ?;
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: INSERT INTO AtomicCounters(Key, Name, Count, InsertTime, ExpireTime, UpdateTime, ScalarFactor, LinearFactor, DecayInterval, HighCount, LastDecayTime) VALUES(? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ?);
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: SELECT Version, Current, LastUpdated FROM SQLiteGlobals WHERE Current = 1 ORDER BY Version DESC ;
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: SELECT ID FROM AmsiFileCache WHERE AmsiFileCache.PersistId = ?;
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: INSERT INTO AttributeCounts(Key, Name, Count, InsertTime, ExpireTime) VALUES(? , ? , ? , ? , ?);
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(28, 1, date('now'));
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: INSERT INTO AttributePersistContext(Key, FilePath, Context, InsertTime, ExpireTime) VALUES(? , ? , ? , ? , ?);
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: UPDATE AtomicCounters SET Name = ?, Count = ?, InsertTime = ?, ExpireTime = ?, UpdateTime = ?, ScalarFactor = ?, LinearFactor = ?, DecayInterval = ?, HighCount = ?, LastDecayTime = ?, WHERE Key = ?;
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: SELECT ID from File WHERE SHA1 = ? ;
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: INSERT INTO ScanInfo(SigSeq, PersistSigSeq, ProgenitorPersistSigSeq, ScanAgent, NamedAttributes, PeAttributes, SigAttrEvents, ScanReason, WebURL, EngineID, SigSha) VALUES(? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? );
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: SELECT COUNT(DISTINCT ProcessPath) FROM ProcessBlockHistory;
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: SELECT ID FROM Engine WHERE EngineVersion = ? AND SigVersion = ? ;
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: INSERT INTO AmsiFileCache(PersistId, PersistIdBlob, ExpirationDate) VALUES (?, ?, DateTime('now', ?));
Source: bcLKBiuPHu.exe, 00000000.00000000.1233156408.0000000000C59000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000000.1252684085.0000000000C59000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: SELECT COUNT(1) FROM AttributePersistContext;
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: SELECT Count(1) FROM SystemRegistryCache;
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(24, 1, date('now'));
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: SELECT ID, NormalizedPathHash, DosPathHash, StructVersion, NormalizedPath, DosPath, Wow64Context, MetaContext, IsFromWeb, IsExecutable FROM BmFileInfo WHERE NormalizedPathHash = ? OR DosPathHash = ?;
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(11, 1, date('now'));
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: INSERT INTO RansomwareDetections(Key, DetectionGuid, LkgTS, NextUSN, DetectionTS, ProvisionalRemedComplTS, RemedComplTS, ImpactedCBPNameSpaces, InstanceTimeStamp) VALUES ( ?, ?, ?, ?, ?, ?, ?, ?, ?);DELETE FROM RansomwareDetections WHERE InstanceTimeStamp < ?; SELECT Count(1) FROM RansomwareDetections;DELETE FROM RansomwareDetections WHERE Key = ?;SELECT DetectionGuid, LkgTS, NextUSN, DetectionTS, ProvisionalRemedComplTS, RemedComplTS, ImpactedCBPNameSpaces FROM RansomwareDetections WHERE Key = ?;SELECT ID FROM RansomwareDetections WHERE Key = ?;
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(31, 1, date('now'));
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: SELECT ID FROM BmFileInfo WHERE NormalizedPathHash = ? OR DosPathHash = ?;
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: INSERT INTO BmFileStartupActions(FilePathHash, FilePath, ActionFlags, ProcessStartCount, FdrFlags, FdrThreatRecordId, EvaluatorThreatRecordId, TrustedInstallerThreatRecordId, LFRThreatRecordId) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?);DELETE FROM BmFileStartupActions WHERE BmFileStartupActions.FilePathHash = ?;SELECT Count(1) FROM BmFileStartupActions;SELECT ID FROM BmFileStartupActions WHERE BmFileStartupActions.FilePathHash = ?;SELECT FilePathHash, FilePath, ActionFlags, ProcessStartCount, FdrFlags, FdrThreatRecordId, EvaluatorThreatRecordId, TrustedInstallerThreatRecordId, LFRThreatRecordId FROM BmFileStartupActions WHERE FilePathHash = ?|
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: SELECT InfectedFileSHA, ProcFileId, SystemFilePath, CleanFileSha FROM SystemFileCache WHERE InfectedFileSHAHash = ? OR ProcFileIDSystemFileHash = ? ORDER BY InstanceTimeStamp DESC;
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory WHERE RuleId = ? ORDER BY TimeStamp DESC;SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory WHERE ProcessPath = ? ORDER BY TimeStamp DESC;SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory ORDER BY TimeStamp DESC;SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory WHERE ProcessPath = ? AND TimeStamp = ? ORDER BY TimeStamp DESC;SELECT COUNT(DISTINCT ProcessPath) FROM ProcessBlockHistory;DELETE FROM ProcessBlockHistory;SELECT t1.ProcessPath, t1.TimeStamp, t1.TargetPath, t1.RuleId, t1.IsAudit, t1.Action, t1.ProcessTaintReason, t1.ProcessIntegrity FROM ProcessBlockHistory AS t1 INNER JOIN(SELECT ID, ProcessPath, MAX(TimeStamp) AS MostRecentTime FROM ProcessBlockHistory WHERE RuleId = ? GROUP BY ProcessPath) AS t2 ON t1.ID = t2.ID AND t1.TimeStamp = t2.MostRecentTime ORDER BY t1.TimeStamp DESC;SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory WHERE ProcessPath = ? ORDER BY TimeStamp DESC LIMIT 1;DELETE FROM ProcessBlockHistory WHERE ProcessPath = ? AND TimeStamp = ?;SELECT t1.ProcessPath, t1.TimeStamp, t1.TargetPath, t1.RuleId, t1.IsAudit, t1.Action, t1.ProcessTaintReason, t1.ProcessIntegrity FROM ProcessBlockHistory AS t1 INNER JOIN(SELECT ID, ProcessPath, MAX(TimeStamp) AS MostRecentTime FROM ProcessBlockHistory GROUP BY ProcessPath) AS t2 ON t1.ID = t2.ID AND t1.TimeStamp = t2.MostRecentTime ORDER BY t1.TimeStamp DESC;SELECT ID FROM ProcessBlockHistory WHERE ProcessPath = ?;SELECT COUNT(1) FROM ProcessBlockHistory;DELETE FROM ProcessBlockHistory WHERE TimeStamp < ?;REPLACE INTO ProcessBlockHistory(ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity) VALUES (?, ?, ?, ?, ?, ?, ?, ?);SELECT ProcessPath, TimeStamp FROM ProcessBlockHistory ORDER BY TimeStamp ASC LIMIT 1[3
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: SELECT t1.ProcessPath, t1.TimeStamp, t1.TargetPath, t1.RuleId, t1.IsAudit, t1.Action, t1.ProcessTaintReason, t1.ProcessIntegrity FROM ProcessBlockHistory AS t1 INNER JOIN(SELECT ID, ProcessPath, MAX(TimeStamp) AS MostRecentTime FROM ProcessBlockHistory GROUP BY ProcessPath) AS t2 ON t1.ID = t2.ID AND t1.TimeStamp = t2.MostRecentTime ORDER BY t1.TimeStamp DESC;
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: SELECT Key FROM FileLowFiAsync WHERE FileLowFiAsync.Key = ?; DELETE FROM FileLowFiAsync WHERE FileLowFiAsync.Key = ?; SELECT Key, FileName, SigSeq, SigSha, SigIsSync, InstanceTimeStamp FROM FileLowFiAsync WHERE Key = ?; DELETE FROM FileLowFiAsync WHERE InstanceTimeStamp < ?; SELECT COUNT(1) FROM FileLowFiAsync; INSERT INTO FileLowFiAsync(Key, FileName, SigSeq, SigSha, SigIsSync, InstanceTimeStamp) VALUES(?, ? , ? , ? , ? , ?);
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: SELECT ID FROM AutoFeatureControl WHERE AutoFeatureControl.Key = ?;
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: INSERT INTO AnomalyTables(Key, TableKey, TableName, KeyName, FirstSeen, LastSeen, UnbiasedMinutes, Value, Order_) VALUES(? , ? , ? , ? , ? , ? , ? , ? , ?);
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: INSERT INTO SystemFileCache(InfectedFileSHAHash, InfectedFileSHA, ProcFileIDSystemFileHash, ProcFileId, SystemFilePath, CleanFileSha, CleanFileShaHash, InstanceTimeStamp) VALUES ( ?, ?, ?, ?, ?, ?, ?, ?);
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(16, 1, date('now'));
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(8, 1, date('now'));
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(26, 1, date('now'));
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: SELECT Key, TableKey, TableName, KeyName, FirstSeen, LastSeen, UnbiasedMinutes, Value, Order_ FROM AnomalyTables WHERE AnomalyTables.TableKey = ?;
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: SELECT COUNT(1) FROM AnomalyTables;
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: SELECT Count(DISTINCT UserIdHash) FROM FolderGuardPaths;
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: SELECT ID, PPIDHash, ProcessStartTime, PID, StructVersion, ImageFileName, MonitoringFlags_Flags, MonitoringFlags_VmHardenType, MonitoringFlags_ExemptVmHardenedTypes, CommandLineArgs, HipsInjectionId, FolderGuardId, Flags, LsassReadMemId, MonitoringFlags_Flags2Low, MonitoringFlags_Flags2High FROM BmProcessInfo WHERE PPIDHash = ?;
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: INSERT INTO AutoFeatureControl(Key, CurrCount, MaxCount, InstanceTimeStamp) VALUES (?, ?, ?, ?);
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: SELECT Key FROM AtomicCounters ORDER BY InsertTime ASC LIMIT 1;
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: SELECT ID, NormalizedPathHash, DosPathHash, StructVersion, NormalizedPath, DosPath, Wow64Context, MetaContext, IsFromWeb, IsExecutable FROM BmFileInfo WHERE NormalizedPathHash = ? OR DosPathHash = ?;INSERT INTO BmFileActions(FileInfoId, ThreatRecordId, Action) VALUES (?, ?, ?);SELECT ThreatRecordId, Action FROM BmFileActions WHERE FileInfoId == ?;INSERT INTO BmFileInfo(NormalizedPathHash, DosPathHash, StructVersion, NormalizedPath, DosPath, Wow64Context, MetaContext, IsFromWeb, IsExecutable) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?);DELETE FROM BmFileInfo WHERE NormalizedPathHash = ? OR DosPathHash = ?;DELETE FROM BmFileActions;DELETE FROM BmFileInfo;SELECT ID FROM BmFileInfo WHERE NormalizedPathHash = ? OR DosPathHash = ?;SELECT Count(1) FROM BmFileInfo;B
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(20, 1, date('now'));
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: SELECT PersistId, PersistIdBlob, ExpirationDate FROM AmsiFileCache WHERE PersistId = ?;
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: SELECT Key FROM AtomicCounters WHERE AtomicCounters.Key = ?;
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(18, 1, date('now'));
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: SELECT ID FROM BmProcessInfo WHERE PPIDHash = ?;
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: SELECT COUNT(1) FROM AnomalyInfo;
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: SELECT ValueMapArrayBlob FROM ValueMapArray WHERE Key = ? AND RecordType = ?;
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: SELECT ID FROM SystemFileCache WHERE InfectedFileSHAHash = ? OR ProcFileIDSystemFileHash = ?;
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: SELECT Key FROM AttributeCounts WHERE AttributeCounts.Key = ?;
Source: bcLKBiuPHu.exe, 00000000.00000000.1233156408.0000000000C59000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000000.1252684085.0000000000C59000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: SELECT Key, FilePath, Context, InsertTime, ExpireTime FROM AttributePersistContext WHERE Key = ?; SELECT COUNT(1) FROM AttributePersistContext; MpFileStashMaxSizeMpOplocksInSpynetFileSizeLimitMpDisableValidateTrustUseInternalCertFormatMpDisableOSXValidateTrustMpValidateTrustMSIMaxOverlayMpDisableValidateTrustAllowBadCertDirectory%WINDIR%\System32\catroot2%WINDIR%\System32\CatRootMpDisableValidateTrustInternalMachOInfinite loop detected (more that %d instructions executed)PE_SUCCESSPE_END_ENUMERATIONPE_NOMEMORYPE_OVERLAPPINGPE_READPE_WRITEPE_FILEPE_DECOMPRESS_ERRORPE_NOTIMPLEMENTEDPE_UNSUPPORTED_MACHINE_ARCHITECTUREPE_INVALID_SIZEOFOPTIONALHEADERPE_INVALID_OPTIONAL_MAGICPE_INVALID_SIZEOFIMAGEPE_INVALID_IMAGEBASEPE_INVALID_SECTIONALIGNMENTPE_INVALID_FILEALIGNMENTPE_INVALID_DOS_SIGNATUREPE_INVALID_E_LFANEWPE_INVALID_NT_SIGNATUREPE_INVALID_SIZEOFHEADERSPE_INVALID_ARGUMENTSPE_INVALID_VIRTUALSIZEPE_INVALID_VIRTUALADDRESSPE_INVALID_RAWOFFSETPE_INVALID_RAWSIZEPE_INVALID_RVAPE_INVALID_EXPORTSPE_INVALID_DATAPE_ERROR_RESERVEDMpMaxPeExportsInCoreReportsMpMapsHeartbeatDistributionIntervalMpRemediationCheckpointLiveDelayMpMaxSpynetReportsMpMapsHeartbeatDelayOnDetectionMpEnableFriendlyCloudCheckMpDisableMDMPolicyChecksMpHeartbeatControlGroupMpDisableMpsigstubErrorMapsHeartbeatMpDisableExclusionsMapsHeartbeatMpDisableMapsDisableMapsHeartbeatMpDisablePaidEnhancedMapsHeartbeatMpDisableEnhancedMapsHeartbeatMpUrlReputationTimeoutMpMaxRtsdBatchSizeMpEnhancedMapsHeartbeatRateMpDisableRtpChangeMapsHeartbeatMpDisableUninstallMapsHeartbeatMpMapsHeartbeatDelayMpEnableUefiEnumerationInHeartBeatMpDisableUrlReputationMapsMpDisableErrorMapsHeartbeatMpMaxNetworkConnectionReportsInSpynetMpMapsHeartbeatDetectionIntervalMpDisableCachingSampleSubmittedShasMpDisableRemediationCheckpointsMpRemediationCheckpointTimeoutMpSampleSubmissionSizeLimitMpPaidEnhancedMapsHeartbeatDelayMpDisableSetupErrorMapsHeartbeatMpDisableOplocksInSpynetMpMapsHeartbeatRateMpEnhancedMapsHeartbeatDelayMpMaxRtsdCountMpDisablePersistScanHandleOnThreatNotFoundMpDisableAdvSSAndFallbackToWatsonMpDisableSenseHeartbeatEtwMpDisableNetworkInfoInHeartbeatMpDisableRemediationFailTelemetryMpFirmwareEnvironmentVariableQueriesMpDisableDefenderDisableMapsHeartbeatMpDisableTestErrorMapsHeartbeatMpDisableOfflineEnhancedMapsHeartbeatMpOfflineEnhancedMapsHeartbeatRateMpDisableDnsCacheSubmissionWithNRICacheMpOfflineEnhancedMapsHeartbeatDelayMpDisableUrlReputationMapsCachet
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: SELECT Key FROM AttributeCounts ORDER BY InsertTime ASC LIMIT 1;
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: SELECT t1.ProcessPath, t1.TimeStamp, t1.TargetPath, t1.RuleId, t1.IsAudit, t1.Action, t1.ProcessTaintReason, t1.ProcessIntegrity FROM ProcessBlockHistory AS t1 INNER JOIN(SELECT ID, ProcessPath, MAX(TimeStamp) AS MostRecentTime FROM ProcessBlockHistory WHERE RuleId = ? GROUP BY ProcessPath) AS t2 ON t1.ID = t2.ID AND t1.TimeStamp = t2.MostRecentTime ORDER BY t1.TimeStamp DESC;
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: SELECT Key FROM ValueMapArray WHERE ValueMapArray.Key = ? AND ValueMapArray.RecordType = ?;
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(21, 1, date('now'));
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: SELECT Count(1) FROM BmFileInfo;
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: SELECT COUNT(1) FROM AtomicCounters;
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: SELECT ThreatRecordId, Action FROM BmFileActions WHERE FileInfoId == ?;
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(17, 1, date('now'));
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: INSERT INTO BmHipsRuleInfo(ProcessInfoId, RuleAction, RuleId, IsAudit, IsInherited, State) VALUES (?, ?, ?, ?, ?, ?);
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: UPDATE AttributePersistContext SET FilePath = ?, Context = ?, InsertTime = ?, ExpireTime = ? WHERE Key = ?;
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: INSERT INTO ProcessInfo(FileName, ProcessId, CommandLine, StartTime, TokenElevation, TokenElevationType, IntegrityLevel) VALUES(? , ? , ? , ? , ? , ? , ? );
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: SELECT Key, RecordTimeStamp, Generation FROM RecordIdentifier WHERE ID = ?;
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(32, 1, date('now'));
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: SELECT Key FROM AttributePersistContext WHERE AttributePersistContext.Key = ?;
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(19, 1, date('now'));
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: SELECT ID FROM NetworkIpFirewallRules WHERE NetworkIpFirewallRules.Key = ?;
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: INSERT INTO BackupProcessInfo(Key, FilePath, FirstStartTime, NextUSN, AutomaticRemovalPolicy, ImpactedCBPNameSpaces, InstanceTimeStamp) VALUES ( ?, ?, ?, ?, ?, ?, ?);
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(22, 1, date('now'));
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: SELECT ID FROM RansomwareDetections WHERE Key = ?;
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: SELECT ID FROM SdnEx WHERE SdnEx.Key = ?;
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(32, 1, date('now'));
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(29, 1, date('now'));
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: SELECT ID FROM SystemRegistryCache WHERE Key = ?;
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: SELECT COUNT(1) FROM AttributeCounts;
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: SELECT Count(1) FROM AmsiFileCache;
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: SELECT Key FROM AnomalyTables WHERE AnomalyTables.TableKey = ?;
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: INSERT INTO SystemRegistryCache(Key, FileIDHash, RegPath, RegOperation, NewRegType, OldRegType, OldRegData, NewRegData, InstanceTimeStamp) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?);
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: INSERT INTO File(SHA1, MD5, lshashs, lshash, PartialCRC1, PartialCRC2, PartialCRC3, KCRC1, KCRC2, KCRC3, KCRC3n, Size, SHA256) VALUES(? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ?, ?, ? );
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(30, 1, date('now'));
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(23, 1, date('now'));
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: SELECT COUNT(1) FROM RollingQueuesValues;
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: INSERT INTO SdnEx(Key, CurrentCount) VALUES (?, ?);
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(15, 1, date('now'));
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(10, 1, date('now'));
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: INSERT INTO BmProcessInfo(PPIDHash, ProcessStartTime, PID, StructVersion, ImageFileName, MonitoringFlags_Flags, MonitoringFlags_VmHardenType, MonitoringFlags_ExemptVmHardenedTypes, CommandLineArgs, HipsInjectionId, FolderGuardId, Flags, LsassReadMemId, MonitoringFlags_Flags2Low, MonitoringFlags_Flags2High)VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?);
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: SELECT Count(1) FROM BackupProcessInfo;
Source: bcLKBiuPHu.exe, 00000000.00000000.1233156408.0000000000C59000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000000.1252684085.0000000000C59000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: SELECT Key, FilePath, Context, InsertTime, ExpireTime FROM AttributePersistContext WHERE Key = ?;
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: SELECT COUNT(1) FROM ValueMapArray WHERE RecordType = ?;
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: SELECT FileInstance.ID FROM FileInstance, RecordIdentifier WHERE FileInstance.RecordID = RecordIdentifier.ID AND RecordIdentifier.Key = ?;
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: SELECT RecordIdentifier.Key, FileInstance.RecordID, RecordIdentifier.RecordTimeStamp, FileInstance.TrackingEnabled, FileInstance.StorageEvent, FileInstance.StorageEventState, FileInstance.ModificationsCount, FileInstance.ParentRecordID, FileInstance.Parent_FileEvent, FileInstance.Parent_FileName, RecordIdentifier.Generation, FileInstance.FileName, FileInstance.USN, FileInstance.CreateTime, FileInstance.LastAccessTime, FileInstance.LastWriteTime, FileInstance.Signer, FileInstance.SignerHash, FileInstance.Issuer, FileInstance.SigningTime, FileInstance.MOTW, FileInstance.MOTWFromParent, FileInstance.IsValidCert, FileInstance.CertInvalidDetails, FileInstance.IsCatalogSigned, File.SHA1, File.MD5, File.lshashs, File.lshash, File.PartialCRC1, File.PartialCRC2, File.PartialCRC3, File.KCRC1, File.KCRC2, File.KCRC3, File.KCRC3n, File.Size, File.SHA256, ParentProcessInfo.CommandLine, ParentProcessInfo.FileName, ParentProcessInfo.IntegrityLevel, ParentProcessInfo.ProcessId, ParentProcessInfo.StartTime, ParentProcessInfo.TokenElevation, ParentProcessInfo.TokenElevationType, RemoteProcessInfo.CommandLine, RemoteProcessInfo.FileName, RemoteProcessInfo.IntegrityLevel, RemoteProcessInfo.TokenElevation, RemoteProcessInfo.TokenElevationType, ScanInfo.NamedAttributes, ScanInfo.PeAttributes, ScanInfo.PersistSigSeq, ScanInfo.ProgenitorPersistSigSeq, ScanInfo.ScanAgent, ScanInfo.ScanReason, ScanInfo.SigAttrEvents, ScanInfo.SigSeq, ScanInfo.SigSha, ScanInfo.WebURL,Engine.EngineVersion, Engine.SigVersion FROM RecordIdentifier INNER JOIN (FileInstance INNER JOIN File ON FileInstance.FileID = File.ID LEFT OUTER JOIN ProcessInfo as 'ParentProcessInfo' ON FileInstance.Parent_ProcessID = ParentProcessInfo.ID LEFT OUTER JOIN ProcessInfo as 'RemoteProcessInfo' ON FileInstance.Remote_ProcessID = RemoteProcessInfo.ID LEFT OUTER JOIN (ScanInfo INNER JOIN Engine ON ScanInfo.EngineID = Engine.ID) ON FileInstance.ScanID = ScanInfo.ID ) ON RecordIdentifier.ID = FileInstance.RecordID WHERE RecordIdentifier.Key = ?;
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(9, 1, date('now'));
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: SELECT Count(1) FROM DynSigRevisions;
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: SELECT COUNT(1) FROM ProcessBlockHistory;
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: INSERT INTO ValueMapArray(Key, RecordType, ValueMapArrayBlob, InstanceTimeStamp) VALUES(?, ? , ? , ?);
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: SELECT Key, Name, Count, InsertTime, ExpireTime FROM AttributeCounts WHERE Key = ?;
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: SELECT Key, FileName, SigSeq, SigSha, SigIsSync, InstanceTimeStamp FROM FileLowFiAsync WHERE Key = ?;
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: SELECT ID FROM BmFileStartupActions WHERE BmFileStartupActions.FilePathHash = ?;
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: SELECT COUNT(1) FROM FileHashes;
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: SELECT Key FROM FileLowFiAsync WHERE FileLowFiAsync.Key = ?;
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: INSERT INTO RecordIdentifier(Key, RecordTimeStamp, Generation) VALUES(?, ?, ?);
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: INSERT INTO FolderGuardPaths(UserIdHash, UserId, GUID, Path) VALUES ( ?, ?, ?, ? );SELECT Count(DISTINCT UserIdHash) FROM FolderGuardPaths;DELETE FROM FolderGuardPaths WHERE UserIdHash = ?;SELECT ID FROM FolderGuardPaths WHERE UserIdHash = ? LIMIT 1;SELECT UserId, GUID, Path FROM FolderGuardPaths WHERE UserIdHash = ?N
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(27, 1, date('now'));
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: SELECT DetectionGuid, LkgTS, NextUSN, DetectionTS, ProvisionalRemedComplTS, RemedComplTS, ImpactedCBPNameSpaces FROM RansomwareDetections WHERE Key = ?;
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: INSERT INTO NetworkIpFirewallRules(Key, FirewallRuleName, ExpiryTime) VALUES (?, ?, ?);
Source: bcLKBiuPHu.exe, 00000000.00000000.1233156408.0000000000C59000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000000.1252684085.0000000000C59000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: INSERT INTO FileHashes(Key, VSN, FileID, USN, InstanceTimeStamp, SHA1, MD5, SHA256, LSHASH, LSHASHS, CTPH, PartialCRC1, PartialCRC2, PartialCRC3, KCRC1, KCRC2, KCRC3, KCRC3n) VALUES(?, ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ?);
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: SELECT FilePath, FirstStartTime, NextUSN, AutomaticRemovalPolicy, ImpactedCBPNameSpaces FROM BackupProcessInfo WHERE Key = ?;
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(7, 1, date('now'));
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: SELECT Key FROM RollingQueuesTables WHERE RollingQueuesTables.Key = ?;
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory ORDER BY TimeStamp DESC;
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: INSERT INTO DynSigRevisions(Key, SdnRevision, EsuRevision, BFRevision, EntCertRevision, TamperRevision, AGBlobRevision, BFFileAllowRevision, BFFileBlockRevision, BFCertAllowRevision, BFCertBlockRevision) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?);DELETE FROM DynSigRevisions WHERE DynSigRevisions.Key = ?;SELECT Count(1) FROM DynSigRevisions;SELECT ID FROM DynSigRevisions WHERE DynSigRevisions.Key = ?;SELECT Key, SdnRevision, EsuRevision, BFRevision, EntCertRevision, TamperRevision, AGBlobRevision, BFFileAllowRevision, BFFileBlockRevision, BFCertAllowRevision, BFCertBlockRevision FROM DynSigRevisions WHERE Key = ?
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(2, 1, date('now'));
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: UPDATE AttributeCounts SET Name = ?, Count = ?, InsertTime = ?, ExpireTime = ? WHERE Key = ?;
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: SELECT (SELECT COUNT(*) FROM File) + (SELECT COUNT(*) FROM FileInstance);
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: INSERT INTO RollingQueuesTables(Key, Name, Capacity, TimeToLive, Mode) VALUES(? , ? , ? , ? , ?);
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: INSERT INTO FolderGuardPaths(UserIdHash, UserId, GUID, Path) VALUES ( ?, ?, ?, ? );
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: SELECT ID FROM BackupProcessInfo WHERE Key = ?;
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(25, 1, date('now'));
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: SELECT Count(1) FROM BmFileStartupActions;
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: SELECT Key FROM AttributePersistContext ORDER BY InsertTime ASC LIMIT 1;
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: INSERT INTO Engine(EngineVersion, SigVersion) VALUES(? , ? );
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe File read: C:\Users\user\Desktop\bcLKBiuPHu.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\bcLKBiuPHu.exe "C:\Users\user\Desktop\bcLKBiuPHu.exe"
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Process created: C:\Users\user\Desktop\bcLKBiuPHu.exe "C:\Users\user\Desktop\bcLKBiuPHu.exe"
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Process created: C:\Users\user\Desktop\bcLKBiuPHu.exe "C:\Users\user\Desktop\bcLKBiuPHu.exe" Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Section loaded: acgenral.dll Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Section loaded: msacm32.dll Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Section loaded: acgenral.dll Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Section loaded: msacm32.dll Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Section loaded: python3.dll Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Section loaded: libcrypto-3.dll Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Section loaded: libssl-3.dll Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Section loaded: libcrypto-3.dll Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: bcLKBiuPHu.exe Static PE information: certificate valid
Source: bcLKBiuPHu.exe Static file information: File size 35527104 > 1048576
Source: bcLKBiuPHu.exe Static PE information: section name: RT_CURSOR
Source: bcLKBiuPHu.exe Static PE information: section name: RT_BITMAP
Source: bcLKBiuPHu.exe Static PE information: section name: RT_ICON
Source: bcLKBiuPHu.exe Static PE information: section name: RT_MENU
Source: bcLKBiuPHu.exe Static PE information: section name: RT_DIALOG
Source: bcLKBiuPHu.exe Static PE information: section name: RT_STRING
Source: bcLKBiuPHu.exe Static PE information: section name: RT_ACCELERATOR
Source: bcLKBiuPHu.exe Static PE information: section name: RT_GROUP_ICON
Source: bcLKBiuPHu.exe Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x1aae600
Source: bcLKBiuPHu.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: bcLKBiuPHu.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: bcLKBiuPHu.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: bcLKBiuPHu.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: bcLKBiuPHu.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: bcLKBiuPHu.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: bcLKBiuPHu.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: bcLKBiuPHu.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: gcapi_dll.dll.pdb| source: bcLKBiuPHu.exe, 00000000.00000002.1333966196.0000000001257000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000002.1324019828.0000000001257000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: BTR.pdbGCTL source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: MpGear.pdb source: bcLKBiuPHu.exe, 00000000.00000002.1333966196.0000000001257000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000002.1324019828.0000000001257000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: KSLD.pdb source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: KSLDriver.pdbGCTL source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: D:\a\1\b\bin\win32\_decimal.pdb%% source: bcLKBiuPHu.exe, 00000000.00000003.1238747954.000000000642C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: MsMpEngCP.pdb source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: D:\a\1\b\bin\win32\_lzma.pdbOO source: bcLKBiuPHu.exe, 00000000.00000003.1239142078.000000000642C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: BTR.pdb source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: mpengine.pdb source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: D:\a\1\b\bin\win32\_queue.pdb source: bcLKBiuPHu.exe, 00000000.00000003.1239275348.000000000642C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\1\b\bin\win32\_lzma.pdb source: bcLKBiuPHu.exe, 00000000.00000003.1239142078.000000000642C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: MsMpEngCP.pdbGCTL source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: gcapi_dll.dll.pdb source: bcLKBiuPHu.exe, 00000000.00000002.1333966196.0000000001257000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000002.1324019828.0000000001257000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: mpengine.pdbOGPS source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: KSLDriver.pdb source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: offreg.pdbH source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: D:\a\1\b\bin\win32\_bz2.pdb source: bcLKBiuPHu.exe, 00000000.00000003.1238533849.000000000642C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\1\b\bin\win32\select.pdb source: bcLKBiuPHu.exe, 00000000.00000003.1244326319.000000000642E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: MsMpEngSvc.pdb source: bcLKBiuPHu.exe, 00000000.00000002.1333966196.0000000001257000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000002.1324019828.0000000001257000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: D:\a\1\b\bin\win32\_decimal.pdb source: bcLKBiuPHu.exe, 00000000.00000003.1238747954.000000000642C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\1\b\bin\win32\_hashlib.pdb source: bcLKBiuPHu.exe, 00000000.00000003.1238964960.000000000642C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: MsMpEngSvc.pdbGCTL source: bcLKBiuPHu.exe, 00000000.00000002.1333966196.0000000001257000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000002.1324019828.0000000001257000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: KSLD.pdbGCTL source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: offreg.pdb source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: D:\a\1\b\bin\win32\unicodedata.pdb source: bcLKBiuPHu.exe, 00000000.00000003.1244614120.0000000006439000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: MpGear.pdbGCTL source: bcLKBiuPHu.exe, 00000000.00000002.1333966196.0000000001257000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000002.1324019828.0000000001257000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: D:\a\1\b\bin\win32\_socket.pdb source: bcLKBiuPHu.exe, 00000000.00000003.1239360047.000000000642C000.00000004.00000020.00020000.00000000.sdmp
Source: bcLKBiuPHu.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: bcLKBiuPHu.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: bcLKBiuPHu.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: bcLKBiuPHu.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: bcLKBiuPHu.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Binary contains a suspicious time stamp
Source: VCRUNTIME140.dll.0.dr Static PE information: 0x7EDF1B0D [Sun Jun 14 00:04:29 2037 UTC]
PE file contains sections with non-standard names
Source: libcrypto-3.dll.0.dr Static PE information: section name: .00cfg
Source: libssl-3.dll.0.dr Static PE information: section name: .00cfg
Source: python311.dll.0.dr Static PE information: section name: PyRuntim
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Code function: 0_2_00246C13 push ecx; ret 0_2_00246C26

Persistence and Installation Behavior
barindex
Found pyInstaller with non standard icon
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Process created: "C:\Users\user\Desktop\bcLKBiuPHu.exe"
Drops PE files
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe File created: C:\Users\user\AppData\Local\Temp\_MEI63002\_lzma.pyd Jump to dropped file
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe File created: C:\Users\user\AppData\Local\Temp\_MEI63002\select.pyd Jump to dropped file
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe File created: C:\Users\user\AppData\Local\Temp\_MEI63002\_ssl.pyd Jump to dropped file
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe File created: C:\Users\user\AppData\Local\Temp\_MEI63002\python311.dll Jump to dropped file
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe File created: C:\Users\user\AppData\Local\Temp\_MEI63002\_hashlib.pyd Jump to dropped file
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe File created: C:\Users\user\AppData\Local\Temp\_MEI63002\_socket.pyd Jump to dropped file
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe File created: C:\Users\user\AppData\Local\Temp\_MEI63002\_bz2.pyd Jump to dropped file
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe File created: C:\Users\user\AppData\Local\Temp\_MEI63002\libssl-3.dll Jump to dropped file
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe File created: C:\Users\user\AppData\Local\Temp\_MEI63002\charset_normalizer\md.cp311-win32.pyd Jump to dropped file
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe File created: C:\Users\user\AppData\Local\Temp\_MEI63002\VCRUNTIME140.dll Jump to dropped file
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe File created: C:\Users\user\AppData\Local\Temp\_MEI63002\_brotli.cp311-win32.pyd Jump to dropped file
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe File created: C:\Users\user\AppData\Local\Temp\_MEI63002\libcrypto-3.dll Jump to dropped file
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe File created: C:\Users\user\AppData\Local\Temp\_MEI63002\unicodedata.pyd Jump to dropped file
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe File created: C:\Users\user\AppData\Local\Temp\_MEI63002\_decimal.pyd Jump to dropped file
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe File created: C:\Users\user\AppData\Local\Temp\_MEI63002\_queue.pyd Jump to dropped file
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe File created: C:\Users\user\AppData\Local\Temp\_MEI63002\charset_normalizer\md__mypyc.cp311-win32.pyd Jump to dropped file
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63002\_lzma.pyd Jump to dropped file
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63002\_ssl.pyd Jump to dropped file
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63002\select.pyd Jump to dropped file
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63002\python311.dll Jump to dropped file
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63002\_hashlib.pyd Jump to dropped file
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63002\_socket.pyd Jump to dropped file
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63002\_bz2.pyd Jump to dropped file
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63002\charset_normalizer\md.cp311-win32.pyd Jump to dropped file
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63002\_brotli.cp311-win32.pyd Jump to dropped file
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63002\unicodedata.pyd Jump to dropped file
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63002\_decimal.pyd Jump to dropped file
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63002\_queue.pyd Jump to dropped file
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63002\charset_normalizer\md__mypyc.cp311-win32.pyd Jump to dropped file
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe File opened: C:\Users\user~1\AppData\Local\Temp\_MEI63002\ Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe File opened: C:\Users\user~1\AppData\Local\Temp\_MEI63002\certifi\ Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe File opened: C:\Users\user~1\ Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe File opened: C:\Users\user~1\AppData\Local\Temp\_MEI63002\certifi\cacert.pem Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe File opened: C:\Users\user~1\AppData\Local\ Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe File opened: C:\Users\user~1\AppData\ Jump to behavior
Source: bcLKBiuPHu.exe, 00000003.00000000.1252684085.0000000000C59000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: detects_vmware
Source: bcLKBiuPHu.exe, 00000003.00000002.1324019828.0000000001257000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: FileKey4=%LocalAppData%\VMware|*.log
Source: bcLKBiuPHu.exe, 00000003.00000002.1324019828.0000000001257000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: FileKey6=%LocalAppData%\Temp|VMware_Horizon_Client*.log
Source: bcLKBiuPHu.exe, 00000003.00000002.1324019828.0000000001257000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: [VMware Horizon Client]
Source: bcLKBiuPHu.exe, 00000003.00000002.1324019828.0000000001257000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: DetectFile1=%ProgramFiles%\VMware\VMware Horizon View Client
Source: bcLKBiuPHu.exe, 00000003.00000002.1324019828.0000000001257000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: FileKey6=%ProgramFiles%\VMware\VMware Workstation\ico|*.ico
Source: bcLKBiuPHu.exe, 00000003.00000000.1252684085.0000000000C59000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: 7zXZ\SystemRoot\Device\0123456789ABCDEF0123456789abcdefpea_epscn_islastpea_epcallnextpea_secmissizepea_epatstartlastsectpea_entrybyte60pea_entrybyte90pea_epiniatpea_usesuninitializedregspea_prefetchtrickspea_issuspiciouspea_isgenericpea_isreportedpea_aggressiveimportpea_enable_binlibpea_enable_lshashpea_many_importspea_self_modifying_codepea_track_direct_importspea_detects_vmpea_detects_vmwarepea_detects_virtualpcpea_is_delphipea_uses_single_steppingpea_uses_bound_exceptionspea_uses_div_by_zeropea_uses_int_overflowpea_uses_invalid_opcodespea_uses_unusual_breakpointpea_checks_if_debugged_documentedpea_disable_io_redirectionpea_suspicious_rebasepea_disable_drop_mz_onlypea_suspicious_stack_geometrypea_suspicious_subsystempea_suspicious_timestamppea_suspicious_valignpea_suspicious_section_fsizepea_suspicious_section_characteristicspea_aggressive_trim_wspea_16bitmachinepea_system_filepea_suspicious_number_of_dirspea_force_unpackingpea_extended_pestaticpea_small_data_directory_countpea_multiple_relocs_same_locationpea_relocs_but_no_relocs_flagpea_suspicious_imagebasepea_no_section_tablepea_no_sectionspea_many_sectionspea_suspicious_image_sizepea_bound_imports_inside_imagepea_delay_load_imports_inside_imagepea_entrypoint_in_import_tablepea_entrypoint_in_headerpea_import_via_tlspea_epsec_not_executablepea_othermachine_imagepea_checks_teb_lasterrorpea_disable_vmprotectpea_checks_teb_laststatuspea_disable_thread_apicall_limitpea_deep_apicall_limitpea_dynmem_uses_div_by_zeropea_dynmem_uses_int_overflowpea_dynmem_uses_bound_exceptionspea_dynmem_uses_privinstrpea_dynmem_uses_breakpointspea_dynmem_uses_single_steppingpea_dynmem_uses_invalid_opcodespea_dynmem_uses_unusual_breakpointpea_dynmem_detects_vmpea_dynmem_detects_vmwarepea_dynmem_detects_virtualpcpea_dynmem_checks_if_debugged_docpea_dynmem_checks_if_debugged_undocpea_dynmem_kernel_scanpea_dynmem_self_modifying_codepea_dt_continue_after_unpackingpea_dt_continue_after_unpacking_damagedpea_loop_jmp_chainpea_droppedpea_reads_vdll_codepea_dynmem_reads_vdll_codepea_verbose_vdll_readspea_scan_internal_datapea_isvbpcodepea_ARM_legacypea_ARM_big_endianpea_ARM_unpredictablepea_isappcontainerpea_checks_ntglobalflagpea_dynmem_checks_ntglobalflagpea_dynmem_checks_processheappea_dt_error_heur_exit_criteriapea_dt_error_too_many_prefixespea_dt_error_invalid_opcodepea_dt_error_too_many_operandspea_dt_error_bb_limitpea_dt_error_loop_too_complexpea_executes_from_last_sectionpea_executes_from_resourcespea_memory_patchedpea_uses_sysenterpea_suspicious_resource_directory_sizepea_suspicious_import_directory_sizepea_invalid_ilt_entrypea_dmg_machinepea_dmg_filealignmentpea_dmg_pointertorawdatapea_dmg_virtualaddresspea_dmg_truncatedpea_dmg_special_sectionpea_dmg_relocationspea_dmg_overlapping_sectionspea_dmg_optional_magicpea_dmg_sizeofheaderspea_dmg_imagebasepea_dmg_imagesizepea_dmg_unsupportedpea_dmg_importspea_dmg_invaliddatapea_dmg_decompresspea_dmg_virtualsizepea_dmg_not_executable_imagepea_dmg_entrypointpea_inv_sizeofoptio
Source: bcLKBiuPHu.exe, 00000003.00000002.1324019828.0000000001257000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: FileKey3=%ProgramData%\VMware\VDM\logs|*.*
Source: bcLKBiuPHu.exe, 00000003.00000000.1252684085.0000000000C59000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: pea_detects_vmware
Source: bcLKBiuPHu.exe, 00000003.00000003.1316711668.000000000635F000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1307718034.000000000635E000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1307408360.000000000635A000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1304077858.000000000633F000.00000004.00000020.00020000.00000000.sdmp, bcLKBiuPHu.exe, 00000003.00000003.1316919597.0000000006363000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: bcLKBiuPHu.exe, 00000003.00000002.1324019828.0000000001257000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: FileKey2=%ProgramData%\VMware\VDM\logs|*.*
Source: bcLKBiuPHu.exe, 00000003.00000002.1324019828.0000000001257000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: [VMware Player]
Source: bcLKBiuPHu.exe, 00000003.00000002.1324019828.0000000001257000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: DetectFile1=%ProgramFiles%\VMware\VMware Player
Source: bcLKBiuPHu.exe, 00000003.00000002.1324019828.0000000001257000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: FileKey4=%LocalAppData%\VMware\VDM\logs|*.*
Source: bcLKBiuPHu.exe, 00000003.00000002.1324019828.0000000001257000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: [VMware Workstation]
Source: bcLKBiuPHu.exe, 00000003.00000002.1324019828.0000000001257000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: DetectFile1=%ProgramFiles%\VMware\VMware Workstation
Source: bcLKBiuPHu.exe, 00000003.00000002.1324019828.0000000001257000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: FileKey4=%LocalAppData%\Temp\vmware-*|*.*
Source: bcLKBiuPHu.exe, 00000003.00000002.1324019828.0000000001257000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: FileKey5=%LocalAppData%\Temp\vmware-*|*.*
Source: bcLKBiuPHu.exe, 00000003.00000002.1324019828.0000000001257000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: FileKey5=%ProgramFiles%\Common Files\VMware\InstallerCache|*.*
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: azurevirtualmachinename_scrubbed
Source: bcLKBiuPHu.exe, 00000003.00000002.1324019828.0000000001257000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: DetectFile2=%ProgramFiles%\VMware\VMware Workstation
Source: bcLKBiuPHu.exe, 00000003.00000002.1324019828.0000000001257000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: FileKey3=%LocalAppData%\Temp\vmware-*|*.*
Source: bcLKBiuPHu.exe, 00000003.00000000.1252684085.0000000000C59000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: VMwareVMware
Source: bcLKBiuPHu.exe, 00000003.00000002.1324019828.0000000001BF6000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: VMware Horizon Client
Source: bcLKBiuPHu.exe, 00000000.00000001.1235527314.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000001.1254475437.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: azurevirtualmachinename
Source: bcLKBiuPHu.exe, 00000003.00000000.1252684085.0000000000C59000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: Unknown member: peattributes.%hspe.set_peattribute(name, state) expects boolean "state"ARM_big_endianARM_legacyARM_unpredictable_16bitmachine_32bitmachineaggressive_trim_wsaggressiveimportamd64_imagearm_imageaslr_bit_setbound_imports_inside_imagebyte_reversed_hibyte_reversed_lowcalls_unimplemented_apichecks_if_debugged_documentedchecks_if_debugged_undocumentedchecks_ntglobalflagchecks_processheapchecks_teb_lasterrorchecks_teb_laststatuscode_on_stackdebug_strippeddeep_analysisdeep_apicall_limitdelay_load_imports_inside_imagedetects_virtualpcdetects_vmdetects_vmwaredirty_wx_branchdisable_apicall_limitdisable_drop_mz_onlydisable_dropper_rescandisable_io_redirectiondisable_microcodedisable_seh_limitdisable_static_unpackingdisable_thread_apicall_limitdisable_vmprotectdmg_decompressdmg_entrypointdmg_filealignmentdmg_imagebasedmg_imagesizedmg_importsdmg_invaliddatadmg_machinedmg_not_executable_imagedmg_notcontiguousdmg_optional_magicdmg_overlapping_sectionsdmg_pointertorawdatadmg_relocationsdmg_resource_levelsdmg_resource_namesdmg_resource_offsetdmg_resource_unordereddmg_sectionalignmentdmg_sizeofheadersdmg_sizeofrawdatadmg_special_sectiondmg_truncateddmg_unsupporteddmg_virtualaddressdmg_virtualsizedroppeddt_continue_after_unpackingdt_continue_after_unpacking_damageddt_error_bb_limitdt_error_failed_to_translatedt_error_heur_API_limitdt_error_heur_exit_criteriadt_error_invalid_opcodedt_error_loop_too_complexdt_error_not_enough_memorydt_error_too_many_operandsdt_error_too_many_prefixesdt_error_vmm_page_faultdynmem_APIcalldynmem_checks_if_debugged_docdynmem_checks_if_debugged_undocdynmem_checks_ntglobalflagdynmem_checks_processheapdynmem_detects_virtualpcdynmem_detects_vmdynmem_detects_vmwaredynmem_kernel_scandynmem_reads_vdll_codedynmem_self_modifying_codedynmem_uses_access_violationdynmem_uses_bound_exceptionsdynmem_uses_breakpointsdynmem_uses_div_by_zerodynmem_uses_int_overflowdynmem_uses_invalid_opcodesdynmem_uses_privinstrdynmem_uses_single_steppingdynmem_uses_udbgrddynmem_uses_udbgwrdynmem_uses_unusual_breakpointenable_binlibenable_lshashenable_vmm_growentrybyte55entrybyte60entrybyte90entrypoint_in_headerentrypoint_in_import_tableepatscnstartepatstartentrysectepatstartlastsectepcallnextepinfirstsectepiniatepoutofimageepscn_eqsizesepscn_falignepscn_islastepscn_valignepscn_vfalignepscn_writableepsec_not_executableexecutable_imageexecutble_imageexecutes_from_dynamic_memoryexecutes_from_last_sectionexecutes_from_resourcesextended_pestaticfirstsectwritableforce_dtforce_expensive_processingforce_unpackinggenpackedhandle_large_vahas_checksumhas_delay_load_importshas_many_resourceshas_msilresourceshasappendeddatahasboundimportshasexportshasstandardentryheaderchecksum0hstr_exhaustiveia64_imageimport_via_tlsinv_argumentsinv_datainv_decompress_errorinv_dos_signatureinv_e_lfanewinv_exportsinv_fileinv_filealignmentinv_filesizeinv_imagebaseinv_nomemoryinv_notimplementedinv_nt_signatureinv_optional_magicinv_overlappinginv_rawoffsetinv_rawsizeinv_readinv_rvainv_sect
Source: bcLKBiuPHu.exe, 00000003.00000000.1252684085.0000000000C59000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: dynmem_detects_vmware
Source: bcLKBiuPHu.exe, 00000003.00000000.1252684085.0000000000C59000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: pea_dynmem_detects_vmware
Source: bcLKBiuPHu.exe, 00000000.00000000.1233156408.0000000000C59000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000000.1252684085.0000000000C59000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: Software\Microsoft\Windows DefenderSOFTWARE\Policies\Microsoft\SQMClient\WindowsPhoneSoftware\Policies\Microsoft\SQMClient%windir%\temp%ProgramFiles(x86)%NtGetCachedSigningLevelSOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlockhr=0x%08XThreatTrackingSigSeqEmuldet.Ainvalid hash bucket count&
Source: bcLKBiuPHu.exe, 00000003.00000002.1324019828.0000000001257000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: FileKey1=%ProgramData%\VMware\logs|*.*
Source: bcLKBiuPHu.exe, 00000003.00000002.1324019828.0000000001BF6000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: VMware Player
Source: bcLKBiuPHu.exe, 00000003.00000002.1324019828.0000000001BF6000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: VMware Workstation
Source: bcLKBiuPHu.exe, 00000003.00000002.1324019828.0000000001257000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: FileKey3=%ProgramData%\VMware\vmwetlm\logs|*.*
Source: bcLKBiuPHu.exe, 00000003.00000002.1324019828.0000000001257000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: FileKey2=%Program Files%\VMware\VMware Player\ico|*.*
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Code function: 0_2_00237B5D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00237B5D
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Code function: 0_2_00237B5D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00237B5D
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Process created: C:\Users\user\Desktop\bcLKBiuPHu.exe "C:\Users\user\Desktop\bcLKBiuPHu.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63002\certifi VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63002\charset_normalizer VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63002\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63002\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63002\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63002\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63002\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63002\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63002\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63002\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63002\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63002\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63002\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63002\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63002 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63002 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63002 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63002 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63002\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63002\certifi VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63002\charset_normalizer VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63002\libssl-3.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63002\python311.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63002\select.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63002\unicodedata.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63002\_hashlib.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63002\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63002\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63002\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63002\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63002\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63002\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63002\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63002\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63002\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63002\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63002\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63002\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63002\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63002\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63002\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63002\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63002\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63002\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63002 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63002\_socket.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63002 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63002\select.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63002\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63002\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63002 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63002\_ssl.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63002 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63002 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63002\_brotli.cp311-win32.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63002 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63002\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63002\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63002 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63002\_queue.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63002 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63002 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63002 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63002 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63002 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63002\charset_normalizer VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63002\charset_normalizer VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63002\charset_normalizer VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63002\charset_normalizer\md.cp311-win32.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63002\charset_normalizer VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63002\charset_normalizer\md__mypyc.cp311-win32.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63002 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63002\unicodedata.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63002 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63002 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63002 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63002\_bz2.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63002 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63002\_lzma.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63002 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63002 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63002\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63002 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63002 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Documents VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\Desktop\bcLKBiuPHu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63002\certifi\cacert.pem VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63002\certifi\cacert.pem VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63002\certifi\cacert.pem VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bcLKBiuPHu.exe Code function: 0_2_0022AF88 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_0022AF88
AV process strings found (often used to terminate AV products)
Source: bcLKBiuPHu.exe, 00000000.00000002.1333966196.0000000001257000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000002.1324019828.0000000001257000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: DetectFile1=%ProgramFiles%\Malwarebytes' Anti-Malware\mbam.exe
Source: bcLKBiuPHu.exe, 00000000.00000002.1333966196.0000000001257000.00000002.00000001.01000000.00000003.sdmp, bcLKBiuPHu.exe, 00000003.00000002.1324019828.0000000001257000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: DetectFile2=%ProgramFiles%\Malwarebytes Anti-Malware\mbam.exe
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1500523 Sample: bcLKBiuPHu.exe Startdate: 28/08/2024 Architecture: WINDOWS Score: 39 24 github.com 2->24 28 Antivirus detection for URL or domain 2->28 7 bcLKBiuPHu.exe 23 2->7         started        signatures3 process4 file5 16 C:\Users\user\AppData\...\unicodedata.pyd, PE32 7->16 dropped 18 C:\Users\user\AppData\Local\...\select.pyd, PE32 7->18 dropped 20 C:\Users\user\AppData\Local\...\python311.dll, PE32 7->20 dropped 22 13 other files (none is malicious) 7->22 dropped 30 Found pyInstaller with non standard icon 7->30 11 bcLKBiuPHu.exe 1 7->11         started        14 conhost.exe 7->14         started        signatures6 process7 dnsIp8 26 github.com 140.82.121.4, 443, 49703 GITHUBUS United States 11->26
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
140.82.121.4
 github.com United States
36459 GITHUBUS false

Contacted Domains

Name IP Active
github.com 140.82.121.4 true